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and non-local jumps 

T. Crolard"'!, E. Polonowski"'^ 
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Abstract 

Relying on the formulae-as-types paradigm for classical logic, we define a program logic for an imperative 
language with higher-order procedural variables and non-local jumps. Then, we show how to derive a sound 
program logic for this programming language. As a by-product, we obtain a non-dependent type system 
which is more permissive than what is usually found in statically typed imperative languages. As a generic 
example, we encode imperative versions of delimited continuations operators shift and reset. 

Key words: callcc, continuation, monad, reset, shift, imperative programming, loop, jump, goto. 



1 Introduction 

In his seminal series of papers [44, 45, 46], Landin proposed a direct translation of an idealized Algol into the 
A-calculus. This translation required to extend the A-calculus with a new operator J in order to handle non- 
local jumps in Algol. This operator, which was described in detail in [47] (see also ]74] for an introduction), 
is the father to all control operators in functional languages (such as the famous call/cc of Scheme ]40] or 
Standard ML of New Jersey [32]). The syntactic theory of control has subsequently been explored thoroughly 
by Felleisen [21[. 

A type system for control operators which extends the so-called Curry-Howard correspondence [16, 39[ to 
classical logic first appeared in Griffin's pioneering work [31[, and was immediately generalized to first-order 
dependent types (and Peano's arithmetic) by Murthy in his thesis [56]. The following years, this extension of 
the formulas-as-types paradigm to classical logic has then studied by several researchers, for instance in [7, 
69, 19, 41, 62] and many others since. 

It is thus tempting to revisit Landin's work in the light of the formulas-as-types interpretation of control. 
Indeed, it is notoriously difficult to derive a sound program logic for an imperative language with procedures 
and non-local jumps ]60], especially in the presence of local variables and higher-order procedures [73[. On 
the other hand, adding first-order dependent types to such an imperative language, and translating type 
derivations into proof derivations appears more tractable. The difficult to obtain program logic is then 
mechanically derived. Moreover, this logic permits by construction to deal elegantly with mutable higher- 
order procedural variables. 

As a stepping stone, we focus in this paper on Peano's arithmetic. The corresponding functional language 
(through the proofs-as-programs paradigm) is thus an extension of Godel System T [30] with control opera- 
tors as described in ]56]. We shall use instead a variant which was proposed by Leivant [48, 49[ (and redis- 
covered independently by Krivine and Parigot in the second-order framework [42]). The main advantage of 
this variant is that it requires no encoding in formulas (with Godel numbers) to reason about functional pro- 
grams. Moreover it can be extended to any other algebraic datatypes (such as lists or trees). In this paper, 
the control operators are given an indirect semantics through a call-by-value CPS transform (we do not con- 
sider any direct style semantics). As noticed in [56], this CPS transformation operates a variant of Kuroda's 
translation on dependent types [43[. 

The imperative counterpart of Godel System T [30[ (called LoOP") which was defined by the authors in 
[15], is essentially an extension of Meyer and Ritchie's Loop language [51] with higher-order procedural vari- 
ables. Loop" is a genuine imperative language as opposed to functional languages with imperative features. 
However, Loop" is a "pure" imperative language: side-effects and aliasing are forbidden. These restrictions 
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enable simple location-free operational semantics [20]. Moreover, the type system relies on the distinction 
between mutable and read-only variables to prevent procedure bodies to refer to non-local mutable variables. 
This property is crucial to guarantee that fix-points cannot be encoded using procedural variables. Since 
there is no recursivity and no unbounded loop construct in Loop", one can prove that all Loop" programs 
terminate (note that the expressive power of system T is still attained thanks to mutable higher-order proce- 
dural variables). 

In this paper, we extend Loop" with first-order dependent types. This led us in particular to relax the 
underlying static type system. Indeed, for instance, after the assignment x := 0, the type of x is nat(O). The 
type of X is thus changed by this assignment whenever the former value of x is different from 0. Moreover, 
the type of x before the assignment does not matter: there is no need to even require that a; be a natural 
number. Pushing this idea to the limit, we obtain a type system for Loop" where the type of any mutable 
variable can be changed by an assignment (or a procedure call). Although, this feature seems characteristic 
of a dynamic language, our type system is fully static. Moreover, since dealing with mutable variables is nat- 
ural in imperative programming, global variables are easily simulated with usual state-passing style. Besides, 
the logical meaning of this simulation is perfectly clear. 

This above remark suggests that usual static type systems for imperative languages are overly restrictive. 
Indeed, a pseudo-dynamic type system is quite expressive: typing an imperative program in state-passing 
style amounts (up to curryfication) to typing its functional image with a parameteriscd state monad [5]. To 
capture this expressivity would usually require an effect system on the imperative side [28]. Moreover, a 
pseudo- dynamic type system provides an elegant way to deal with uninitialized variables. Indeed, in a logical 
type system, a type is not necessarily inhabited and there are thus no default values for arbitrary types. 
Although it is possible to design a type system which track uninitialized variables, it would be awkward (and 
meaningless from a logical standpoint). On the other hand, in a pseudo-dynamic type system any mutable 
variable can be initialized to a default inhabited type with a chosen default value. 

Let us summarize the main developments of this paper. We rephrase Landin's translation for a total 
imperative language featuring higher-order procedures and non-local jumps and then we rely on the Curry- 
Howard correspondence for classical logic to derive a program logic for this language. To be more specific, we 
define a framework which includes an imperative language I, a call-by-value functional language F and a 
retraction between I and F as follows: 

• The functional language F, which is our formulation of Godel System T, is equipped with two usual 
type systems, a simple type system FS and a dependent type system FD which is akin to Leivant's 
MILP [48]. In particular, dependent types include arbitrary formulas of first-order arithmetic. 

• The imperative language I (essentially Loop" from [15]) is an extension of Meyer and Ritchie's Loop 

language [51] with higher-order procedural variables. Language I is also equipped with two (unusual) 
type systems, a pseudo-dynamic simple type system IS and a dependent type system ID. 

• A compositional translation * from I to F is definable [15]. This translation actually provides a simu- 
lation: each evaluation step of an imperative program is simulated by a bounded number of reduction 
step of its functional image. In this paper, we show that this translation is type-preserving in both the 
pseudo-dynamic and dependent frameworks. 

• We characterize the shape of the functional image of an imperative program by *: these functional 
terms are monadic normal forms [33] (also called yl-normal forms [25]). A reverse translation * from 
monadic normal forms of F to I is then defined, which is also compositional and type-preserving in 
both the pseudo-dynamic and dependent frameworks. 

• We show that (*, *) forms a retraction. Consequently, from any dependently-typed functional program 
(and thus from any proof in Heyting arithmetic) we can derive an imperative program which imple- 
ments the corresponding dependent type. 

• F'^ is then defined as an extension of F with control operators calico and throw (taken from [32]). 
The semantics of F"^ is given by a call- by- value CPS- transformation into F. Following [33], since the 
functional image of an imperative program is in monadic normal form, we factor the CPS transforma- 
tion through Moggi's computational meta-language [53, 54]. 

• Prom F'' we derive I'^ which extends I with two primitive procedures callcc and throw. Although we 
do not pretend that these control operators are natural in an imperative language, they can be used to 
define more conventional statements which have to interact with the control flow. It is of course not 
possible to encode arbitrary goto statements since our programming language is total. 



2 



• Finally, as a generic example, by combining a simulated global state with callcc and throw, we show 
how to encode shift and reset [18] (and thus any representable monad) using Filinski's decomposition 
[23]. As a consequence, we obtain an indirect formulas-as-types interpretation of delimited continua- 
tions in a dependently-typed framework. 

Related works 

Although several program logics have been designed for higher-order procedural mutable variables or non- 
local jumps, we are not aware of any work which combines both in an imperative setting. 

Of course, there has been much research on Floyd-Hoare logics [26, 35, 36[ (see the surveys [2[ and [13[). 
Such program logics for higher-order procedures have been defined for instance in [17] (for Clarke's language 
L4 [9]) or more recently for stored parameterless procedures in [70]. Program logics for jumps exists since 
[10], and although designing such a logic is error-prone [60[, there have been successfully used recently for 
proving properties in low-level languages [22, 72]. 

A dependent type system for an imperative programming language is defined in [76[, where the dependent 
types are restricted to ensure that type checking remains decidable. They also made the observation that 
imperative dependent types requires to allow the type of variables to change during evaluation. However they 
chose to restrict the type system in order to guarantee that the extracted program is typable in some usual 
static (non-dependent) type systems. On the contrary, we believe that a dynamically-flavoured static type 
system should be advocated. 

Proofs-as-Imperativc-Program [67, 68[ adapts the proofs-as-programs paradigm for the synthesis of impera- 
tive SML programs with side-effect free return values. The type theory is however intrinsically constructive; 
it requires a strong existential quantifier which is not compatible with classical logic [34]. 

The Dependent Hoare Type Theory [58[ and the Imperative Hoare Logic [38, 37[ are frameworks for rea- 
soning about effectful higher-order functions. The dynamic semantics of those systems are much more com- 
plicated (since aliasing is allowed) than our location-free semantics. Although the Dependent Hoare Type 
Theory contains control expressions and enjoys a formulas-as-types interpretation, it is not clear whether pro- 
grams correspond to proofs in some deduction system for classical logic. 

Plan of the paper. In Section 2, we present the untyped functional language F, the untyped imperative lan- 
guage I and and their dynamic semantics. We define also the retraction *) between programs of I and 
monadic normal forms of F. Section 3 is devoted to the definition of the pseudo- dynamic type system IS. 
Section 4 contains the definitions of the dependently-typed systems ID and FD together with their main 
properties. In Section 5, we extend language F with control operators and its type system is raised to clas- 
sical arithmetic FD'^. Finally, in Section 6, we extend I with non-local jumps and we derive a corresponding 
program logic ID'^. 



2 Dynamic semantics of I and F 

In this section, we present the untyped functional language F (which is a variant of Godel System T) and the 
untyped imperative language I (which is an extension of Meyer and Ritchie's LoOP language [51] with 
higher-order procedural variables studied in [15]). We define also the dynamic semantics of both languages 
and the retraction *) between programs of I and monadic normal forms of F. 

2.1 Language F 

Godel System T may be defined as the simply typed A-calculus extended with a type of natural numbers and 
with primitive recursion at all types [29]. The language F we consider in this paper a variant of System T 
with product types (n-ary tuples actually) and a constant-time predecessor operation (since any definition of 
this function as a term of System T is at least linear under the call- by- value evaluation strategy [11]). More- 
over, we formulate this system directly as a context semantics (a set of reduction rules together with an 
inductive definition of evaluation contexts). As usual, we consider terms up to a-conversion and the set 
J-V{t) of free variables of a term t is defined in the standard way. The rewriting system is summarized in 
Figure 2.1, where variables x, xi, Xn, y range over a set of identifiers and t[vi/xi, Vn/xn] denotes the 
usual capture-avoiding substitution. 
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(terms) 



(values) 



t ::— X 





S{t) 
pred(f) 

ti t2 

Xx.t 

(ti, ...,t„) 

let {xi, ...jXn) =ti in t2 

Tec{ti,t2,t3) 



X 



Siv) 

(t-i,.. 

Xx.t 



(contexts) 



C[] ::= [] 



C[]t 
vCl] 
S{C[ ]) 
pred(C7[ ]) 
rec(C[ ],t2,t3) 
rec(wi,C[ ],t3) 
rec(vi,V2,C[ ]) 
{vi,...Vi-i,C[ 

let {xi,...,Xn) 



:C[] int 



(evaluation rules) 



C[pred(0)' 
C[pred(S'('o)y 
C[rec(0, V2, Xx.Xy.t) 
C[rec(S'(wi), V2, Xx.Xy.t) 
C[Xx.t V 

C[let {xi,...,Xn) = {vi,...,Vn) in t 



0] 

Xx.Xy.t vi rec{vi,V2, Xx.Xy .t)] 

t\v/x]\ 

tlVl/xi,...,Vn/Xn]] 



Figure 2.1. Syntax and context semantics of Language F 



Remark 2.1. In order to distinguish the successor S (which is a constructor) from the successor seen as an 
operation (whose evaluation should imply a reduction step), we use the keyword succ as an abbreviation for 
\x.S{x). 

Remark 2.2. We write X{xi, Xn)-t (or Xx.t) as an abbreviation for Az.let {xi, Xn) = z in t where 2 is a 
fresh variable. Similarly, we write X{).t as an abbreviation for A2;.let {) = z in t where is a fresh variable. 

2.1.1 Example: the Ackermann function 

The Ackermann function is an example of function known not to be primitive recursive [63] but which can be 
represented in System T. Here follows an example of a slightly modified version of the function defined by 
the following equations [49]: 

(1) a(0,n) = s(n) 

(2) a(s(^),0) = s(s(0)) 

(3) ai{s{z),s{u)) = a{z,a{s{z),u)) 

ack{m, n) = rec(m, Xy.S{y), Xi.Xf.Xy.rec{y, S{S{0)), Xj.Xk.{f k))) n 



2.2 Language I 

The untyped language I is essentially the Loop" language presented in [15] except that LoOP" was explicitly 
typed. Moreover the loop syntax is now for y :=0 until e {s} where the bound e is excluded from the range 
(since this new syntax corresponds more closely to reasoning by induction). The location-free transition 
semantics [20] is also the same as in [15[ except that we consider only sequences. Although it is somewhat 
more verbose, both semantics are clearly equivalent. 

2.2.1 Syntax 

The raw syntax of imperative programs is given below. There is nothing particular to this syntax except that 
we annotate each block {s}g with a list of variables x (which corresponds to the mutable variables which 
may occur in the block). In the following grammar, x, y, z range over a set of identifiers, q ranges over nat- 
ural numbers {i.e. constant literals), e denotes the empty sequence and * denotes the singleton value. Free 
identifiers are defined in the standard way (see Appendix A). 
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{command) 



c 



{s}g 

for y:=0 until e {s}^ 
y:=e \ inc(y) | c 
e(e; J?) 



dec(t/) 



{sequence) 



s 



£ 



c : s 



est y = e; s 



var y:=e; s 



{expression) 



e 



y \ * \ q \ {e) 
proc (in y;out z) {s}j 



Notation 2.3. (values). Imperative values are closed expressions, i.e. the singleton value, natural numbers, 
procedures and tuples of values. We shall use w as a syntactica category for values whenever we will need to 
distinguish between expressions and values. 

Remark 2.4. (no aliasing). In order to avoid parameter-induced aliasing problems, we assume that all yi 

arc pairwisc distinct in a procedure call p{e; y). 

Remark 2.5. (annotations). In a block the variables in x are visible mutable variables (according to 

standard C-like scoping rules). Moreover, the list x must also contain all the free mutable variables occurring 
in the sequence. Such annotations can automatically be inferred by taking, for instance, all the visible 

mutable variables. 

Remark 2.6. (no backpatching) . No free mutable variable is allowed in the body of a procedure (except its 
out parameters). This restriction is required to prevent the well-known technique called "tying the recursive 
knot" [44] which takes advantage of higher-order mutable variables (or function pointers) to define arbitrary 
recursive functions. 

2.2.2 Example: the addition procedure 

Here follows a procedure that computes the addition of two natural numbers: 



2.2.3 Operational semantics 

The operational semantics is given as transition system [66] which defines inductively a binary relation 

between states. A state is a pair (s, /i) consisting of a sequence s and a store /i, where a store is a finite 
ordered mapping from (mutable) variables to closed imperative values (i.e. integer literals, procedures and * , 
and tuples of imperative values). 

Note that expressions do not require any evaluation since they arc cither variables or values. We introduce 
thus the following notation which allows us to treat uniformly values and variables in the semantics: 

Notation 2.7. Given a store n, let (^^ he the trivial extension of ^ to expressions defined as follows (p^{x) = 
fi{x) if x is a variable, fi^{w) =w and ipfj,{{ei, e„)) = ((/?^(ei), (^^(e„)). In the sequel, we write e=fj,w for 
Vix{e)=w. 

Notation 2.8. Let s be a sequence. We write s[x w] for the substitution of a read-only variable x by a 
closed imperative value w and s[t/-f^ z] for the renaming of a mutable variable y by a mutable variable z. The 
formal definitions are similar to those given in [15]. 



est add = proc (in X,y;out Z) { 



Z:=X; 

for 7:=0 until Y { 



inc(Z); 

}z; 



}z 
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(({}?; 

(si, /j) (si, mO 

(({si}?; S2),At)i-)-(({sl}g; S2),m') 

((var j/:=e; e), /i) i-^ (e, /i) 

e=i^w {s,{n,y<-w))i-^{s',{fj,',y^w')) 
((varj/:=e; s), /i) i-)- ((var j/ := w'; s'),M') 

{{y:=e; s), ^ {s, n[y ^ w]) 

f4y) = q 

((inc(j/); s),fi)^ {{y:=q + l; s), n) 

n{y) = g 

((dec(j/); s),iJ,)i-^{{y:=q-l; s), jj,) 

e =i^w p=^proc (in y;out z){s'}g 
((p(e;f); s), /^) i-)- (({s'[y f ]}?; s), * ]) 

((cstj/ = e; s),/u)i-)-(s[j/-^w],/u) 

6=^0 

((for y :=0 until e {s}g; s'), fj,) i->- (s', /i) 
e=p(j + l 

((for 3/:= until e {s}?; s')- m) H> (({for j/ := until g {s}?; s[t/<-g]}j; s').m) 

Figure 2.2. Transition semantics 

Notation 2.9. Let ji be a store. We write (//.[?/ w\) for the store update, i.e. iJ-[y ■<r- w]{x) = ^{x) if x ^ y 
and fi[y-(^w]{y) ~ ^(y). We write {n, y^w) for the store extension with the new variable y mapped to w. 

This definition of the transition system is summarized in Figure 2.2. 

Remark 2.10. This semantics is clearly deterministic since there is always at most one rule which can be 
applied (depending on the content of the store and the shape of the command). 

2.3 Translation from I to F and simulation 

Wc recall the translation, similar in spirit to Landin's translation of Algol- like languages, described in [15]. 
The intuition behind this translation of imperative programs into functional programs is the following: a 
sequence {ci; c„; }g is translated into: 

let x\ = ci in ... let Xn = cj^ in af 

where each XiCx corresponds to the "output" of command Cj and x is the output of the sequence. 

Definition 2.11. For any expression e, sequence s and variables x, the translations e* and (s)| into terms 
of language F are defined by mutual induction as follows: 

- n* = S'"(0) 

- y* = y 

- -" = 

- (ei,...,e„)*=(el,...,e*) 



S.BLOCK-l) 
S.BLOCK-Il) 
S.VAR-l) 
S.VAR-Il) 

s. assign) 

S.INC) 
S.DEC) 

s.call) 

s.cst) 

s.for-i) 

S.FOR-Il) 
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- (proc (in y ; out z) {s}?)* = Ay .(s)g [()/z] 

- {£)s=x 

- (var y:=e; s)| = (s)i[e7y] 

- (est y = e; s)% = \ety = e* in {s)% 

- {y ■.= €■, s)i = let y =e* in {s)i 

- (inc(y); s)% = lety = succ{y)in{s)g 

- (dec(y); s) J = let y = pred(y) in (s)J 

- {p{e;zy, s)t; = letz =p* {e*) in {s)% 

- {{si}z; S2)*s = let z = (si)i in (sa)? 

- (for y:=0 until e {si}?; 52)2 = let ^ = rec(e*, Ay.A^.(si)i) in (52)2 
2.3.1 Simulation 

We recall the simulation theorem from [15] which states that for any sequence s, the evaluation of s is simu- 
lated by the reduction of (.s)|. 

Proposition 2.12. For any state (s, /i), if x = dom{fx) and z <^x we have: 

{s , 11) {s' , 11') implies {s)^[fj,{x)*/x]'^* {s%[fj,'{x)*/x] 



2.4 Translation from F to I and retraction 

In this section, we show how to translate a functional program of F into an imperative program of I. How- 
ever, this translation is only defined for a sub-language C of monadic normal forms (terms where any non- 
trivial intermediate computation is named [33, 25]). This sub- language C characterize the image of impera- 
tive programs by *. We show in appendix C.5 how to transform any term of language F into a monadic 
normal form of £. 

Definition 2.13. We define inductively C and V, families of terms (resp. values) of F , as follows: 

()eV 
S'"(0) e V 

\x.t€V 

{vi,...,Vn)€V i/wi, ...,z;„e V 

v€C ifvGV 
let X = v in uGjC if v gV and ugC 

let X = succ(i;) in u e £ if v GV and u G C 

let X = pred(u) in u e £ if v gV and uG£ 

let X = v v' in ugC if v gV, v' gV and uGjC 

let X = rec{v , v', Xy.Xz.t) in uGjC if v gV, v' & V and uGjC 

let X = t in u££ ift££ and u££ 

Proposition 2.14. For any sequence s, any expression e and any variables x = {xi, a;„), {s)g G £ and 
e*eV. 

Proof. Straightforward mutual induction on s and e. □ 
Notation 2.15. In the sequel, we shall use the following abbreviations: 

vary; s = varyi:=*; vary„:=*; s 

var y:=w; s = var yi:=wi; var yn:=Wn] s 

est y=z; s = est yi = zi; est yn = Zn; s 

y:=w; s = yi:=Wi; yn--=Wn, s 
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Definition 2.16. For any value w G W and any term t S £„, the translation and tf are defined by mutual 
induction, where f = (ri, r„), z and z = {zi, Zn) are fresh variables, as follows: 

— ir = * 

— 5"(0)* = n 

— y" = y 

— {Xx.ty = proc (in a;; out z) {t%}z 

— (iSy = 

— {w)r = r:=w; e 

— (let y — w in u)^ = est y = w*; (u)* 

— (let y — succ{w) in u)r = var z:=w^; inc(z); est y — z; (u)^ 

— (let y = pred{w) in u)r = var z:=w'^; dec(z); est y = z; {u)r 

— (let X =w w' in u)r = var z; w'^{w''^;z); est x=z; (u)* 

— (let x = rec{w,w',Xi.Xy.t) in u)r= var z:=w'; for i:=0 until u;* {est y = 2;; tz}z; est x = z; (u)* 

— (let X =t in u)* = var z; {{t)%}z', est ^ = 2;; {u)% 

Remark 2.17. Note that all identifiers of the source term are mapped to read-only variables. Indeed, 

mutable are introduced locally, assigned and then only used to initialize local read-only variables. This prop- 
erty ensures that mutable variables do not occur in the body of procedures in the resulting LoOP" program: 
the only mutable variables are fresh variables introduced during the translation. 

2.4.1 Retraction 

We prove that for any term t of £, the term {tf)f is convertible with t. Both terms are not equal in general 
since some "administrative" redices are introduced by the translations. However, equality holds for integer 

values. 

Definition 2.18. We define the reduction relation as the reflexive, symmetric, transitive and contextual 

closure of the reduction for arbitrary contexts. 

Proposition 2.19. 

• Given a term t^C and a fresh mutable variable tuple f we have (t^)^~t. 

• Given a value wgW, if w = 5"(0) or w = * then w** = w else w** « w. 

Proof. See Appendix-A. □ 
Proposition 2.20. For any value w, if w = q or w = * then w** = w. 

Proof. By Proposition 2.19, if w = g otw = * then w*** = w*. □ 



3 Pseudo-dynamic Type System 

In this section, we present the simple type system for language F and the pseudo-dynamic type system for 
language I. Then wc show that both translation * and o preserve typability and that the transition semantics 
of I enjoys the usual "type preservation" and "progress" properties. 

3.1 Functional simple type system FS 

The functional simple type system FS is defined as usual for a simply typed A-calculus extended with tuples, 
natural numbers and with primitive recursion at all types. The set Efs of simple functional types is defined 
by the following grammar: 

a ::— nat | unit | ai^a2 \ cti x ... x (T„ 
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a;: r G r 
r h r 

r h 0: nat 

ri-t:nat 

r\-s{ty.nat 

r\-t: nat 
ri-pred(t):nat 

ThtvTi ... ri-t„:r„ 
ri-(ti,...,t„):Ti X ... X T, 



ri-():unit 

T,Xi:Ti, ...,Xn-Tn\-t:T r|-M:Tl X ... X T, 

r hlet {xi, ...,Xn) = u in t:T 

T , x: T \- 1: a 
r\-\x.t -.T^a 

r\-ti:a^T r\-t2:a 
rhti ti-.T 

rhtiinat T\-t2:T T,x: nat, y: rhtsiT 

T \- rec(ti. t2. \x.\y.t:i) : T 



Figure 3.1. Functional type system FS 

The type system is summarized in Figure 3.1. 

3.2 Pseudo-dynamic imperative type system IS 

The static type system described in this section is called "pseudo-dynamic" since the type of a mutable vari- 
able is allowed to change during execution. It is however fully static in the sense that it guarantees statically 
that no type error can occur at run-time. As a side benefit, we obtain a convenient way to address the issue 
of uninitialized variables: any mutable variable can be initialized with the * (which denotes the single value 
of type unit) and its type shall change later (when assigned its first relevant value). 

The pseudo-dynamic type system may also be seen as a simple effect system [28, 71] since it is able to 
guarantee the absence of side-effects, aliasing and fix-points in well-typed programs. Its key feature which 
enable this property is the distinction between mutable variables and read-only variables. More formally, the 
set Sis of imperative types is defined by the following grammar: 

(T,T ::— nat | proc (in r;out a) \ (Ti,...,r„) | unit 

A typing environment has the form F; CI where T and il are (possibly empty) lists of pairs x: t {x ranges over 
variables and t over types). F stands for read-only variables (constants and in parameters) and il stands for 
mutable variables (local variables and out parameters). We use two typing judgments, one for expressions 
and one for sequences: F; O h e: r has the usual meaning, whereas in F; O h s [> O', the environment CI' con- 
tains the types of the mutable variables at the end of the sequence s. The type system is given in Figure 3.2. 
As usual, we consider programs up to renaming of bound variables, where the notion of free variable of a 
command is defined in the standard way. 

Remark 3.1. Let us recall important features of this pseudo-dynamic type system shared with the static 
type system described in [15]: 

• (scoping rules). As usual for C-like languages, the scope of a constant (rule t.cst) or a variable (rule 
t.var) extends from the point of declaration to the end of the block containing the declaration. 



(ident) 

(zero) 

(succ) 

(pred) 

(tuple) 
(unit) 



(abb) 
(app) 
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x-.rer-Q 


(t.env) 




T; a h g: nat 


(t.num) 


r;r2l-*:unit 


(t.unit) 


r;!:!l-ei:ri ... T;n\-e„:Tn 


(t. tuple) 


T; ni- (ei, e„): (n, r„) 


z/0 r, y : ct; z : unit h s > I: f 


(t.proc) 


r;ni-proc (in y;out 2){s}2:proc (in a; out f) 


T-n,n'\-el>n' 


(t. empty) 


r;Q,x:a\- CO x:t T; f2, f : f h s > f2' 
r- O T*- /=? 1- r- 1 t~> O' 


(t.seq) 


r;fil-e:T T, j/: t; h s > fi' 


(t.cst) 


T; fi h est 2/ = e; s > fi' 


r;ni-e:r T; fi, y: t h s > fi' y^n' 
r;fil-var y:=e; s \>Q,' 


(t.var) 




(t. assign) 


i ; Si, J/ : CT r 2/ := e; s>sr 


V;x:f\-s\>x:a 

L ^ il^ X . T r \> X . (T 


(t. block) 


T; fl, y: nat h inc(j/) > j/: nat 


(t.inc) 


F; n, J/: nat h dec(y) r> y: nat 


(t.dec) 


F; fi, a; : a h e: nat F, j/: nat; a; : ct h s > a: : a 


(t.for) 


T;Q,x:a\- for ?/ := until e {s}g > x: a 


F; fi, f : a; h p: proc (in a; out f ) F; fl,f : uj \- e: a 


(t.call) 


F; n, f : w l-p(e ; f ) >f:f 



Figure 3.2. Imperative type system 



• (no side- effects). Rule (t.proc) implies that the only mutable variables which may occur inside the 

body of a procedure arc its out parameters and its local mutable variables. This is enough to guar- 
antee the absence of side-effects. However, side-effects can still be simulated by passing the non-local 
variable as an explicit in out parameter (see section-3.5). 

• (no fix-points). Rule (t.proc) also forbids the reading of non-local mutable variables: this is necessary 
to prevents the definition of fix-points in the language. 

Let us define formally the notions of well-typed stores and states. 

Definition 3.2. (store typing). We say that a store ^ is typable of output typing environment O = zi: ri, 
Zn- Tn, denoted iit>Q. if and only if z & dom{^) and for all {zi, Wi) G ^ we have 0; h Wi: Ti. 

Definition 3.3. (state typing). We say that a state (s, /j.) is typable of output typing environment fl' for a 
restriction of the store to the variables z: r, which we write as z:t \- {s, /i) t> ft' , if and only if i^t>z:T and 0; 
z:T\-s>Ct'. 
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3.3 Translations between IS and FS 

We define translations * and o for simple types (which also form a retraction at the type level) and we show 
that both translations preserve typing. 

Definition 3.4. For any type r S Sis, the corresponding type t* S Sfs is defined inductively as follows: 

— unit* = unit 

— nat* = nat 

— (ri,...,T„)*=(rf X ... X O 

— proc (in f ;out (T)* = f*— >-a* 

Definition 3.5. For any type a€ Efs the translation cr*€ Eis is defined as follows: 

— unit ^ = unit 

— nat ^ = nat 

— (cTi X ... X (T„)^= (crj, ...,cr^) 

— (a -)>f )^ = proc (in CT^;out f^) 

Proposition 3.6. (retraction at the type level). 

1. For any type a G Sis, we have cr** = a. 

2. For any type a G Sfs, we have cr** = a. 

Proof. Straightforward induction on the translations tr* and a*. □ 

Theorem 3.7. For any environments T and Q, any expression e, any sequence s we have: 

• T; n h e: T in IS implies T*, h e*: r* in FS. 

• T; Q h s > ^: a in IS implies T*, 0*1- (s)|: a* in FS. 

Proof. By induction on the typing derivation. □ 

Theorem 3.8. For any state (s, /x), if z:t\- {s, iJ.)t>Q, in IS with z:aCfl, then h {s)^[iJ,{x)* / x]: a* in FS. 

Proof. By definition of state typing, z : r h (s, /i) > implies 0; z: r h ,s ^ O and for all (z^, /x(zi)) G /i, 0; 
h fi{zi): Ti. By Theorem 3.7, on one hand 0; z : t h s > O implies z: r* h (s)g: (?*, and on the other hand 0; 
h ii{zi): Ti implies h i^{zi)*: Ti. Since (s)| is well typed in the environment z : t*, the variables in x which 
are not in z are not free in (s)|. Hence, by the substitution lemma, h {s)g[^{x)* / x]: a* . □ 

Theorem 3.9. 

• Given a term t G C such that T \- t: a in FS with T, a G Sps and a fresh mutable variable tuple r of 
any type a' G Sm we have F*; f : a'\-t'f\> r: in IS. 

• Given a value vgV such that Thv.a in FS with r,a G Sps, we have F*; h t;*: cr* m IS. 

Proof. By induction on the typing derivation. □ 

3.4 Properties of the pseudo-dynamic type system 

As expected, the transition semantics preserves typing and the usual "progress" property holds. 

Theorem 3.10. (preservation). For any state (s, /j.), if z:t \- (s, /x) > f2 m IS and (s, n) i-> (s', /x') then 
there exists f ' s«c/i that z:f'\- {s', /u') [> O, in the simple type system. 

Proof. By induction on the transition, and by case analysis on the typing derivation (see Appendix B.3). □ 
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Lemma 3.11. (progress). For any state (s, fi), if z:f \- {s, 12) t> fl in IS then either s = e and no more eval- 
uation step can occur, or there is a unique state {s', /x') such that (s, /x) {s', fj,'). 



Lemma 3.12. (termination). For any state (s, /x), if z:f \- (s, /x) > f2 in IS then the evaluation of (s, /x) 
terminates. 

Proof. By contradiction, let us assume that there is an infinite sequence of evaluation steps of (s, ^). By 
Proposition 2.12, with the fact that there cannot be an infinite sequence of evaluation steps using only rule 
(s.VAR-i), we have an infinite sequence of evaluation steps of (s)J[/i(af)*/x]. By Theorem 3.8, z : r h (s, /i) > O 
implies h (s)|[/L((a?)*/x]: a* and since typable terms of system T are strongly normalizing, we have a contra- 
diction. □ 

Proposition 3.13. For any (s, /x), Cl and z, if z:t \- (s, /j.) t> Q in IS, then there is a unique store fi' such 
that [s, /u) H^" (e, /x') for some n. 

Proof. Since, by Lemma 3.12, no infinite evaluation of (s, /x) can occur, we prove the property by induction 
on the length n of the longest sequence of evaluation steps from (s, /x), using appropriately Theorem 3.10 in 
the induction step. □ 

3.5 Global variables 

Recall that the imperative type systems IS (and also ID, in the next section) forbids any access to global 
mutable variables. It is straightforward to address this restriction by passing the global variable as an explicit 
in out parameter to each procedure declaration. The same variable is then given as argument for each proce- 
dure call. Moreover, an in out parameter can be encoded with one in parameter and one out parameter, 
where each procedure initialize the variable with its input value before executing its body. To handle more 
conveniently a list of global variables z we introduce the following abbreviations: 



This transformation corresponds to the usual state-passing style transform in functional programming. Up to 
curryfication, we also obtain a state monad [50]. At the type level, however, since the type of a mutable vari- 
able can be changed by an assignment, this transform do not correspond to the usual state monad r ST = 
{t X a) where a is the fixed type of the global state. We obtain instead a parameterized state monad [5], 
{a,T,a') ST = a^ (r x a') where a is the input type of the global state and a' is its output state. 

This remark shows that the pseudo-dynamic type system is quite expressive and enables to type programs 
which would usually require an ad-hoc effect system [71]. 



4 Dependent Type Systems 

In this section, we present the dependently-typed systems for languages F and I. As in the non-dependent 
case, we show that both translation * and o preserve typability. As a corollary, we obtain a soundness result 
(theorem 4.8) and a representation theorem (proposition 4.10) for dependently-typed imperative programs. 

4.1 Functional dependent type system FD 

Following the definition of MLIP [48] (or similarly IT(N) in [49]), we enrich language F with dependent 
types. The type system is parameterized by a first-order signature and an equational system £ which defines 
a set of functions in the style of Herbrand-Godel. We consider only the sort nat (with constructors and s), 
and we assume that £ contains at least the usual defining equations for addition, multiplication and a prede- 
cessor function p (which is essential to derive all axioms of Peano's arithmetic [49]). The syntax of formulas 
is the following (where n,m are first-order terms): 



Proof. By induction on the typing derivation (see Appendix B.4). 



□ 



proc(in x;out y)s{s}g,z 
p(e; y)s 



proc(in x , z '; out y ,z){z := z'; sj^^j 
P{e,z; y,z) 



T 



nat(n) | {n = m) \ Vz*(Ti=>r2) | 3?(ri A ... A r^) 
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Note that first-order quantifiers are provided in the form of dependent products and dependent sums. As 
usual, impHcation and conjunction are recovered as special non-dependent cases (when i is empty). Simi- 
larly, relativized quantification V.T(nat(.T) ip) and 3.T(nat(a:;) A (p) are also obtained as special cases. 

The functional dependent type system is summarized in Figure 4.1 (where T denotes n = n for some n and 
\-sn = m means that either n = rn or m = n is an instance of £). 

The main difference between this type system and the deduction system MLIP described in [48] comes 
from the fact that a derived sequent is directly annotated by a realizer (a functional term) , whereas in [48] an 
extraction function (or forgetful map) k needs to be applied to the derivation to obtain the realizer. In other 
words, if n is a derivation of a sequent F h cr in MLIP, then F h niji): a is derivable in FD. Conversely, if 11 
is a derivation of F h a in FD, then 11 is also derivation of F h a in MLIP (just remove the realizers from 
the derivation). Let us recall the subject reduction property of MLIP [48] and derive the same property for 
FD as a corollary. 

Theorem 4.1. (subject reduction for MLIP ). 

• If H Prawitz-reduces to XT', then kU reduces to kH'. 

• Ift = Kll reduces to t' then t' = Kll' for some 11' such that H Prawitz-reduces to 11'. 
Corollary 4.2. (subject reduction for FT)). If T\-t:a in FD and t-^t' then T\-t':a. 

Proof. Let 11 be a derivation of F h cr in FD, then K;(n) = t and n is also a derivation of F h cr in MLIP. 
By the above theorem, ii t t' then t' — kH' for some derivation IT' of the same sequent F h cr in MLIP. 
Consequently, r\-t':a is derivable since t' = kH'. □ 

Similarly, we obtain the representation theorem for FD as a corollary of the same property for MLIP [48, 
49]. 

Proposition 4.3. (representation theorem for FD) Given an equational system £ and an n-ary function 
symbol f, if 

l-£:f:Vn.nat(n) =>nat(/(n)) 

is derivable in FD then t represents f. 

Definition 4.4. (forgetful map). For any functional dependent type t, the computational content kt of r is 
defined inductively as follows: 

• K{n = m) = unit 

• K(nat(n)) = nat 

• «;(3r(ri A ... A r„) =k;ti X ... X KT„ 
4.1.1 Example: the addition function 

Recall the usual Peano's axiom for addition (see in appendix D the conventions we use in the examples) : 

(1) x + O ^ X 

(2) x + s{i) = s{x + i) 

The proof of Vn(nat(n) ^ Vm(nat(m) => nat(n + m))) gives us a term of F that computes the addition of 
two natural numbers. Here follows, in a "pure" natural deduction style, the proof annotated by the terms of 
F. 

z: nat(n + u) 



2;:nat(n) 5(z): nat(s(n + w)) 

-by (1) -^Tr\ — IT — —r^:^^y (2) 



y:nat(m) x: nat(n + 0) ^(z): nat(n + s(w)) 

rec{y, x, Xi.Xz.S{z)):nat{n + m) 
Xy.rec{y, x, Xi.Xz.S{z)):ym{naLt{m) => nat(n + m)) 
Xx.Xy.rec{y, x, Xi.Xz.S{z)):yn{nat{n) => Vm(nat(rn) nat(n -|- m))) 
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x:t€T 
T\-x:t 

ri-0:nat(0) 

ri-t:nat(n) 
ri-S'(i):nat(s(n)) 

ri-t:nat(n) 
ri-pred(t):nat(p(n)) 

r \- ti: Ti[rn /i] ... F \- tu: Tk[m /i] 
rh(ti,...,ifc):3«(TiA... ATfc) 

r,xi:Ti,...,Xk.Tk\-t:T ri-M:3» (n A... ATfc) 
rh let {xi, ...,Xk) =u in t-.T 

V,x:T\-t:a 
V^Xx.t :Vr(r^CT) 

ri-ti:Vr((7^T) ri-t2:a[n/r] 
rhti t2:T[n/r] 

ri-fi:nat(n) ri-t2:T[0/i] T, a;: nat(i), y: t h ta: T[s(i)/i] 
r h rec(ti, t2, Xx.Xy.tz) : r [n/z] 

l-£n = m 
Vh{):{n = m) 

Vht:T[n/i\ Thv:{n = m) 
Tht:T[m/i] 

*where i ^7V{T) in (abs), i ^JV{T,t) in (let) and i^IV{T) in (rec) 
Figure 4.1. Functional dependent type system 

4.2 Imperative dependent type system ID 

As in the functional case, the type system is parameterized by equational system £. The syntax of imperative 
dependent types is the following: 

cr,T ::— nat(n) | proc Vr(in f ; out a) \ 3J(ti, t„) \n = m 

The dependent type system is summarized in Figure 4.2 (where T denotes n = n for some n and h^n = m 
means that either n = m or to = n is an instance oi £). 

The store typing and the state typing are defined in the same way as for the pseudo-dynamic type system. 

Definition, (store typing). We say that a store /x is typahle of output typing environment Q. = z\: t\, Zn- 
Tn, denoted ^t>Q, if and only if z G dom{ii) and for all {zt, Wi) G fj, we have 0; h wf. Ti. 

Definition, (state typing). We say that a state {s, fx) is typahle of output typing environment O' for a 
restriction of the store to the variables z: t, which we write as z:t\- {s, fi)t> Q.' , if and only if fit>z:T and 0; 
z:t^ s>^' . 

Definition 4.5. (forgetful map). For any imperative dependent type t, the computational content kt of t is 
defined inductively as follows: 

• K{n = to) = unit 

• K;(nat(n)) =nat 



(ident) 

(zero) 

(succ) 

(pred) 

(tuple) 

(let)* 

(abs)* 

(app) 

(rec)* 

(equal) 

(subst) 
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r;QI-a;:r 



r;ni-g:nat(s«(0)) 

\-en = m 



T;Q\- * : n — m 

F; O h ei: rifrn/j*] ... F; SI h e„: r„[m/7] 
F; ni- (ei, e„): 3? (ri, ...,r„) 

F, y : a; z: Th s > 2: f 
F;f2l-proc (in y;out a){s}j:proc Vz (in o';out f) 

T;n\-e':T[n/i] F;fil-e:n = m 
r;ni-e':r[m/i] 

F; n h s > n'[n/i] F;ni-e:n = m 
F;ai-s>a'[m/i] 



F; a, «'!-£>«' 

F;fi,f rahof :f F; fi, f : f h s > f2' 
F; fi, f : h c; s > fi' 

r:S>; (,:- r,(/:r;<2: .s > SI' 
F; n h est 2/ = e; s > fi' 

F;ai-e:r F; O, y: r h s > ft' y^fi' 
F;f2l-var ?/:=e; s > fi' 

F; fi, y : he: 3r(Ti, ...,t„) F; H, yr. n, j/„:t„I-s> fi' 
F; j/: CT h y := e; s > fi' 

F;x:fl-sl>a;:a 



F;f2,a!:fl-{s}a[>a;:a 



F; SI, y: nat(n) h inc(i/) > y: nat(s(n)) 

F; f2, J/: nat(n) h dec(j/) > j/: nat(p(n)) 
F; n, a: o'[0/i] h e: nat(n) F, y: nat{i);x:a \- s> x: a[s{i)/i] 



F; n, a: & [0/i] h for y:=Q until e {sja > x: a[n/i] 

F; n, r : w hp: proc V?(in a; out f ) F; SI, r : a; he : ff[m/z ] 
F; n,f :a; h p(e ; f ) > f : f[m/r] 

*where i ^ J^(r) in (t.PROC) and i ^ ^(F) in (t.FOR) 
and J ^ J^{r, Q, Q') in (t. assign) 



T.ENVj 

t.num) 

T. equal) 

T. tuple) 

T.PROC)* 

T.SUBST-l) 

T.SUBST-Il) 
T. empty) 

t.seq) 
t.cst) 
t.var) 

T. assign)* 
T. block) 

t.inc) 

T.DEC) 

t.for)* 
t.call) 



Figure 4.2. Imperative dependent type system 

• K{3j{Ti,...,Tn)) = {KTi,...,KTn) 

• «;(proc Vr(in a;out f)) =proc (in act; out Ka) 

Proposition 4.6. (erasure). If T;Cl\- st> Q' is derivable in ID then kT; kO h s > kQ' is derivable in IS. 
Proof. By induction on the typing derivation of F; O h s > CI'. □ 
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4.2.1 Example: the addition procedure 



Complete type derivations in ID are tedious. In tiie following examples, we prefer instead to provide only 
some type annotations on the right-hand side of the program. Although we did not formally define this 
syntax, we believe that it is self-explanatory and contains enough information to reconstruct the complete 
type derivation in ID. For instance, here is the procedure add which computes the addition together with 
the sketch of its type derivation: 



est add = proc (inX,y;out Z) { - {X:nat{x),Y:nat{y))[Z:T] 

Z:=X; I [Z:nat{x + 0)] by (1) 

for 7:=0 until y { | - {r.nat{i))[Z:nat{x + 

inc(Z); | | [Z:nat{x + s{i))] by (2) 

}z; I [Z:nat{x + y)] 

}z (adrf: proc Vx, y(in nat(x'), nat(j/); out nat{x + y))) 

4.2.2 Example: the Ackermann procedure 

We recall the equations which define a variant the Ackermann function [49]: 

(1) a(0,n) = s(n) 

(2) a(s(z),0) = s(s(0)) 

(3) a{s{z),s{u)) = a{z,a{s{z),u)) 

Similarly, from a proof of Vm, n(nat(m) A nat(n) nat(a(m, n))) in FD in monadic normal form, by 
applying translation ^ by hand, we obtain a procedure which computes a(m, n) (the functional typing deriva- 
tion is in Appendix D.3.1). Here is the definition of the procedure ack with its typing annotations. 



est acA; = proc (in M, A'';out Z) { 

var G := proc (in Y; out P) { 
P:=Y; 
inc(P); 

}p; 

for J:=0 until M { 
est H = G; 

G:=proe (in y;out P) { 

P:=2; 

for J:=0 until Y { 
H{P;Py, 

}p; 

}p; 

G{N;Z)- 



- (M: nat(m),7V:nat(n))[Z:T] 



-{Y:nat{y))[P:T] 
I [-P:nat(y)] 

I [P:nat(s(y))] 

[G: proc yy{in nat(y); out nat(a(0, y)))] 



by (1) 



— (J: nat(i))[G: proc Vj/(in nat(?/); out nat(a(i, y)))] 
I {H: proc yy{in nat(y); out nat(a(i, y)))) 

I -{Y:natiy))[P:T] 
I I [P:nat(a(s(z),0))] by (2) 
I I -(J:nat(i))[P:nat(a(s(i),i))] 
I I I [P:nat(a(s(z),s(i)))] by (3) 
I I [P:nat(a(s(*),y)))] 

I [G: proc Vy(in nat(y); out nat(a(s(i), y))))] 

I 

[G: proc V2/(in nat(y); out nat(a(m, y)))] 
[Z: a(m, n)] 

(acfe: proc Vm,n(in nat(m), nat(n); out nat(a(m, n)))) 



4.3 Translation from ID to FD 

We show that translation * preserves dependent types. 

Definition 4.7. (translation of dependent types). For any imperative dependent type t, the corresponding 
functional dependent type r* is defined inductively as follows: 

• {t=uy={t=u) 
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• (nat(u))* = nat(u) 

• (ar (ri, . . . , T„) )* = ar (rf A . . . A <) 

• (proc V?(in f ; out (t))* = Vr(f * ^ (T*) 

Theorem 4.8. (Soundness for ID). For any environments T and Q, any expression e, any sequence s we 
have: 

- T; f2 h e: T m ID implies T*, Q* h e*: r* in FD. 

- T;Ct\-s>z: a in ID implies T*, 0*1- {s)%: a* in FD. 

Proof. See Appendix C.3. □ 

Theorem 4.9. For any state if z:t \- {s, IJ.)> z:a in ID then h (s)5[/i(a;)*/x]: a* m FD. 

Proof. By definition of state typing, z : r h (s, n) \> z: a implies 0; z : t h s > z : ct and for all {zi, ^i{zi)) G /i, 0; 
h y.{zi): Ti. By theorem 4.8, on one hand 0; z : f h s > z : ct implies z: f* h {s)%: &*, and on the other hand 0; 
h ii{zi): Ti implies h iJ.{zi)*: Ti. Since (s)J is well typed in the environment z: t*, the variables in x which 
are not in z are not free in (s)j. Hence, by the substitution lemma, h {s)^[fj.{x)* /x]: a* . □ 

4.4 Properties of dependently-typed imperative programs 

Wc arc now ready to state and prove the representation theorem for dcpcndcntly-typcd imperative programs. 
This theorem is a corollary of the representation theorem for FD and the simulation theorem. 

Corollary 4.10. (representation theorem for ID). Given an equational system £ and an n-ary function 
symbol f, if 

l-p:proc Vn(in nat(n);out nat(/(n))) 
is derivable in ID then p represents f. 

Proof. Indeed, h p*: Vn.nat(n) ^ nat(/(n)) is derivable in FD, and thus p* represents / by proposi- 
tion 4.3. Since by Proposition 4.6, h p: proc(in nat; out nat) is derivable in IS, we know that p always ter- 
minates by lemma 3.12 and computes p* by proposition 2.12. □ 

4.5 Translation from FD to ID 

We close this section by some properties of translation 

Definition 4.11. For any type creSpD the translation cr* is defined as follows: 

- {n = m)^={n = m) 

- (nat(n))* = nat(n) 

- (3y(aiA...A<7„))o = 3jK,...,a^) 

- (Vr (f ^ ct))* = proc Vr (in f out a") 

As expected. Proposition 3.6 is extended as follows. 

Proposition 4.12. (retraction). 

1. For any type a G Sid; we have a*" = a. 

2. For any type a G Sfd, we have tr** = a. 

Proof. Straightforward induction on translations and a*. □ 

Proposition 4.13. (erasure and translation commute). For any imperative dependent type a we have 

K{a*) — {na)*. 
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Proof. Straightforward induction on types. □ 
Theorem 4.14. 

• Given a term t € C such that T \- t: a in FD with T, a € Sfd and a fresh mutable variable tuple f of 
any type a' € Sm we have F*; f: a'\-tf[> f: ct* in ID. 

• Given a value vgV such that Thv.a in FD with F, tr e Sfd, we have F*; h i;*: cr* in ID. 

Proof. By induction on the typing derivation (see Appendix C.4). □ 

Remark 4.15. Translation ^ is only defined above for terms of £. Translating an arbitrary term (typable in 
FD) into an imperative program (typable in ID), just requires to put the term in monadic normal form. 
More details are given in Appendix C.5. 



5 Control operators 

In order to extend the imperative language I with non-local jumps, we first extend the functional language F 
with control operators. The resulting dependent type system FD'^ corresponds thus to classical logic [31] 
(Peano's arithmetic in fact). In this section, we rephrase known results from [55, 57] in our setting. However, 
since FD is based on Leivant's MLIP, our variant may seem closer to Parigot's type system for the A/x-cal- 
culus [61] (albeit in the second-order framework). 

5.1 Functional dependent type system for control FD'^ 

In order to extend FD to FD'^, we assume the existence of a propositional constant "absurd" written _L, we 
define the negation -k^ as an abbreviation for => _L and we add two constants callcc and throw with the 
following types: 

callcc : {^(p^ip)^(p 
throw : {—•(p A (p)=> ijj 

This choice of control operators is taken from ]32] but it would be equivalent to take for instance A and C 
from [21] as in ]55, 57]. Note that we do not consider any direct style semantics of these operators in this 
paper. Instead, we give an indirect semantics as a CPS-transformation [65]. 

5.2 CPS translation 

As is well-known [33], it is natural to factor a CPS-transformation through Moggi's computational meta-lan- 
guage [53, 54]. Since we are interested in providing a semantics for imperative programs and since the output 
of translation * is already a term in monadic normal form, the CPS-transformation needed is almost straight- 
forward. We still have to be careful since in a dependent type system a monad is actually a modality ]12, 8], 
and we have to deal with first-order quantifiers. 

Following [12], we write -^o'P for <p=> o where o is a fixed propositional variable. The continuation monad V 
is then defined as Vy' = -'o~'o'f together with the following two abbreviations (which corresponds to unit and 
bind): 

val u = Xz.{z u) 
let val a; = u in t = Xz.{u Xx.{t z)) 

Moreover, in the continuation monad, control operators callcc and throw are definable as the following abbre- 
viations [59]: 

callcc — Xh.Xk.{h k k) 
throw = X{k,a).Xk'.{k a) 

Let us now prove that for any monadic normal form (possibly containing callcc and throw) typable in FD*^, 
its call-by-value CPS-transform is typable in FD. The translation of dependent types is defined as follows: 
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Definition 5.1. (translation of dependent types from FD^ to FD) 

nat(n)° = nat(n) 

{n — m)° = (n — m) 

(3n((^iA...A(^„))° = 3n{ip°iA...Aipl) 

(Vn(v>^V))° = Vn(<^°^VV°) 

±° = o 

Remark 5.2. If we instantiate the monad, and restrict ourselves to relativized quantifiers we obtain as 

expected Murthy's variant [55, 57] of Kuroda's translation [43]. 

Definition 5.3. For any value v £V and any term t G £. possibly containing callcc and throw, the call-by- 
value CPS-transform v* and t° are defined by mutual induction as follows: 



()• 


= 


X* 


= X 


0* 


= 


s{vr 


= S{v*) 


(Xx.u)* 


= {\x.u°) 


{vi,...,Vk)' 


= {vi,---,Vk) 


(callcc)* 


= callcc 


(throw)* 


= throw 




= val (u*) 


(fl V2)° 





{let {xi,...,Xn)=t in u)° = let val y = f° in let (xi, a;„) = y in u° 
rec{v, u,Xx.Xy.t)° = rec{v*,u°,Xx.Xr.let val y = r in t°) 
pred(u)° = val pred(u*) 

Remark 5.4. The translation above is defined for a syntax slightly more general than C since we only need 
here to distinguish values from computations. It is however straightforward to check that any term of jC 
belongs to dom{°) and any value of V belongs to dom(*). 

Lemma 5.5. The following typing rules are derivable in FD; 

T\-u:(p rhu:V(^ T,x: (p\-t:'S/2p 

r h val u-.Wlp r h let val x = u in tiVip 

Proof. Straightforward (see Appendix B). □ 

Lemma 5.6. Abbreviations callcc and throw are typable in FD as follows: 

callcc : {{tp°=>o)^Vip°)^Vip° 
throw : {{ip° ^ o) A ip°) ^ V ip° 

Proof. Straightforward (see Appendix B). □ 

Lemma 5.7. For any term t of C (resp. any value v ofV) possibly containing callcc and throw, if T\-t:ip 
(resp. T\-v:ip) is derivable in FD'^ then T°\-t°:Wip° (resp. r°l-t;*: ip° ) is derivable in FD. 

Proof. By induction on the typing derivation where the basic cases for callcc and throw are obtained by 
Lemma 5.6: 

• (ident) 

T , x: ^f\- x: ip 
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Indeed, 

(equal) 

Indeed, 

(subst) 

Indeed, 

(zero) 
Indeed, 
(succ) 

Indeed, 

(abs) where i ^ JV(r) 
Indeed, 
(app) 
Indeed, 
(tuple) 
Indeed, 



\-£n = m 
rh ():(n = m) 

\-£n = m 
r°h():(n = m) 

T\-t:ip[n/i] T\-v:{n = m) 
T\-t: ip[m/i] 

T°ht°:V^°[n/i] T°hv*:{n = m) 

rhO:nat(0) 
r°hO:nat(0) 

r h w: nat(n) 



rhS'(w):nat(sn) 

r°l-i;*:nat(n) 
r°l-S'(z;»):nat(sn) 

T,x: ip\- u: ip 

r h Ax.U: V?((y9=^> V') 

r°,a;: tp°hu°:Vij° 
r° h \x.u°: \/i{ip° => Vtp°) 

r\- vi:W{ip^ ip) T \- V2- flfi /i] 
rh {vi V2): tp[n/i] 

rhvlW{(p°^Vtp°) T°hv^:ip°[n/i] 
r\-{vl v^):V^°[n/i] 

T\-vi: (pi[n/i] ... T\-Vk:(pk[n/i] 
r h {vi, ...,Vk): 3t{(pi A ... A ifk) 

T°hvr:^l[n/T] ... T° h vl: ^%[n /t] 
r°^{vr,...,viy.3i{iptA...Aip%) 

(let) where ft ^ JV{T, ?/)) 

T\-t:3i{ipiA... A ipk) T,xi: ipi[n/i], ...,Xk: ipk[n/i] \-u:%l) 
rh let {xi, ...,Xk) = t in u: ■ip 

Indeed, since n ^ JV(r°, -0°) 

r° h 3i{ipl A ... A V5fe) r°, .Ti: if>t[n/T], ...,Xk: 'Pk[n/t] ^ u°: 



T°ht:V{3i{iplA...Aip°k)) r°hlet (xi, Xfc) = y in u°: VV° 

r°hlet val y = t° in let (xi, ...,a;fe) = y in u°:'VtlJ° 
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(rec) where i ^ JV(r) 

ri-t;:nat(n) F h u: (/?[0/i] T , x: n.at{i) , y: ip\- 1: (p[s{i) / i] 
T\-vec{v,u,\x.\y.t): '^[n/i] 

Indeed, since i ^ TV{T°) 

T°,r:\Iip°^r:Wip° T° , x: r\a±{i) , y: ip° l~ t°:W ip°[s{i)/i\ 



r°,a;:nat(2),r: V(^°|-let val y = r in V(^°[s(i)/i] 



r° h v': nat(n) r° h u°: V(p°[0/i] r°, x: nat(i) h Ar.let val y = r in t°: V(p° ^ Vip°[s{i)/i] 
r° h rec(u*, u°, Ax. Ar.let val y = r in V¥'°[n/i] 

(pred) 

T\-v: nat(n) 



r h pred(t;): nat(pn) 

Indeed, 

^°h^;•:nat(n) 



r° h pred(t;*): nat(pn) 
r° h val pred(u*): Vnat(pn) ^ 

As a corollary of Lemma 5.7, we obtain a representation tlieorem for FD"^. 

Theorem 5.8. (representation theorem for FD'^j. Given an equational system £ and an n-ary function 
symbol f, if h Vn.nat(n) ^ nat(/(n))) is derivable in FD*^ then t represents f. 

Proof. By Lemma 5.7 h Vn.nat(n) =^ Vnat(/(n))) is derivable in FD. Then, using Friedman's top level 
trick [27, 55], we replace o by nat(/(n)) in the derivation, we obtain that h Xx.{t° x id): yn.na.t{n) 
nat(/(n)) is also derivable in FD, and thus Xx.{t° x id) represents /. □ 



6 Non-local jumps 

In this section we extend language I with control. Since control in imperative language are usually given in 

the form of several ad-hoc statements (such as exits from loops, exception handling, generators), there is no 
natural primitive statements. Consequently, we chose to retrofit operators callcc and throw to language I. 
We do not claim that these are natural control statement in an imperative language, but they are merely 
primitive constructs which can be used to encode other statements as derived forms. This main advantage of 
this approach is that we derive immediately a sound program logic for imperative programs with control. 

6.1 Dependent imperative type system with control ID'^ 

Similarly to the functional case, we extend type system ID with a propositional type constant _L, we define 
a as an abbreviation for proc (in a; out _L), and we add to ID two primitive procedures callcc and throw 
with the following types: 

callcc : proc (in proc (in ^(7;out a); out a) 
throw : proc (in -la, a; out f) 

Note that the type of callcc is exactly {{-'<t a) ^ t?)^ and the type of throw is exactly {{-'a A ct) r)*. If 
we assume that callcc and throw are mapped by * to their functional counterpart, we have the following 
properties by construction: 

Proposition 6.1. For any environments T and O, any expression e, any sequence s, possibly containing 
procedures callcc and throw, we have: 

- F; n h e: r «n ID'^ implies F*, n* h e*: t* m FD^ 

- T;n\-s>z:a in ID" implies T*, n* h (s)|: a* in FD'^. 
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Proposition 6.2. 

• Given a term t ^ C possibly containing callcc and throw such that T \- t: a in FD'^ and a fresh 
mutable variable tuple f of any type a' G Em we have F*; f : a'\-tf[> f: &^ in ID''. 

• Given a value v & V possibly containing callcc and throw such that T\- v.a in Yjy^ for any environ- 
ment Q. we have F*; ^ h t;*: a* in ID''. 

Since our semantics of ID'' is indirect, no representation theorem for ID'^ can be claimed. However, we still 
have the following corollary: 

Corollary 6.3. Given an equational system £ and an n-ary function symbol f, if h p: proc({n}in nat(n); 
out nat(/(n))) is derivable in ID" then p* represents f. 

Proof. Since h p*: Vn.nat(n) => nat(/(n))) is derivable in FD" and by Theorem 5.8, p* represents /. □ 

6.2 Syntax and typing extensions with control operators 

In order to get closer to some usual syntax for jumps in imperative language, we introduce the following two 
abbreviations: 

k-{s}g = est z' = z; callcc(proc(in fc;out := 0'; s}^;z) 
jump(A;, e)f = throw(A;, e; 

The first abbreviation corresponds to the declaration of a (first-class) label. Recall that our type systems 
requires that the current mutable variables be explicitly passed inside the body of the procedure, hence the 
constants declaration. The second abbreviation is a "jump with parameters" to the end of the block anno- 
tated with the label given as argument. Note that the output variables are important only for typing purpose 
(since the jump never returns), they are thus written as a subscript. 

Proposition 6.4. The following typing rules are derivable in ID". 

r,k:-'a;z:T \- s[> z:a F; O, ^ : h s' > Q' 
r;n,z:f\-k:{s}r, s' t> Cl' 

r;Q,z:f\-k:-'a F; fi, z : f h e: 
F; O, z: f h jump(fc, e)j t> z: t' 

Proof. See Appendix C.7. □ 

6.3 Imperative delimited continuations 

As a concluding example we show how to encode delimited continuation operators shift and reset [18] in 
ID". This example is generic since it was shown by Filinski [23, 24] that any representable monad can be 
encoded using shift and reset. We also refer the reader to [75] for a detailed analysis of various type sys- 
tems for shift and reset in the monadic framework, to [3] for a type-theoretic study of delimited continua- 
tions and to [4] for a generalization of Danvy and Filinski's type system to allow for polymorphic delimited 
continuations. 

Our encoding follows [23] which contains the proof that shift and reset can themselves be implemented 
using callcc, throw and one global mutable variable storing the meta-continuation. The idea behind this 
encoding is best understood at the type level. First recall that the orignal semantics of these operators was 
given in terms of a double CPS-transform [18] (indeed, a single CPS transform is not enough to obtain a 
term whose semantics is independent of the evaluation strategy). The first transform corresponds to a 
parameterized continuation monad [6]: 

M(a,/3,7) = (7^/3)^a 
The second transform corresponds to the usual continuation monad, with a fixed output type o : 

Vcr = (ct^ o) — >■ o 
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Composing both transforms [50] yields the following parameterized monad: 

(7->- V/3)-> Va {{j X {13 ^o))^o) ^{{0-^0)^0) 
^ {a^o)^{{{j X {/3^o))^o)^o) 
= (a^o) ^ V(7 X (^^o)) 

Up to simple type isomorphisms, we recognize the parameterized state monad transformer applied to the 
continuation monad. This monad correspond thus exactly to composing the state passing style transform 
(where the state is a continuation) with a CPS transform. This is the type isomorphism which exploited in 
[23] to encode shift et reset in direct style with a global state (always containing a continuation, called the 
meta-continuation) and callcc/throw. 

Relying on higher-order mutable variables and the abbreviations for global variables from section 3.5, Fil- 
inski's implementation can thus be almost mechanically translated in ID'^ (the type derivations are given in 
Appendix D.4): 

reset : proc(in proc(in ^a; out ^, -i^), -17; out a, -17) 
reset = proc(in p; out r)mfc{ 
k:{ 

est m = mk; 

mk := proc(in r; out 2;){jump {k,r, m)z; }z', 
var y; p{; y)mk] 
jump {mk, y)r,mk; 

}r,mfc) 

shift : proc(in proc(in proc(in a, -i/?; out 7, -'13), -^S; out e, -le), -i^; out a, -17) 
shift = proc(in p; out r)TOfc{ 
k:{ 

proc g(in t;;out r)mk{ 

reset (proc(out 2;)„fc{jump {k,v,mk)z,mk;}z,mk;r)mk; 

var y; p{q; y)mk\ 
jump {mk, y)r,mk\ 

}r,m/i: 

Of course, the image of those procedures by translation * yields functional terms typable in FD'^. Those 

terms are given in Appendix E in Standard ML syntax ]52]. The SML signature CONT is slightly different 
from [32[ but they are equivalent (see [23] for an implementation of a similar signature in SML/NJ ]!]). 
Their functional types are reproduced here: 

reset : (-■a=> /3 A -i/?) A -■7=>q: A-i7 

shift : ((a A -■^=> 7 A-i/3) A -•(5=>£ A -■£) A -■(5=> a A-i7 

These types could be made a little more readable by using a parameterized state monad. However, we recog- 
nize the type of shift and reset from [18] where {a A -la) (/3 A -ir) is written in the form a/r^ (3/a. Our 
encoding thus provides a formulas-as-types interpretation of the full type system from [18] in a dependently- 
typed framework. 

6.3.1 Example 

In [75], Wadler presents several simple examples using shift and reset, and its third example, which requires 
the full type system from ]18] to type check, is the following: 

let g= (reset (if (shift Xf-f) then 2 else 3)) 

in {g True) + {g False) 
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Walder explains informally the semantics of his example as follows: ^^Here f (and hence g) is bound to the 
function that returns 2 if passed True, and 3 if passed False, hence the value of the given term is 5." 

Now the question is "how to prove formally the correctness of this program?". The solution we propose 
consists in first translating the expression into an imperative program (with shift /reset defined as above) 
and then proving its correctness by deriving the expected specification in ID'^. We thus obtain following 
imperative program (where the conditional is simulated by a for-loop): 

est q = proc(; out { 

est p = proc(in /; out h)mk { h:= f;} 
var b; shift{p; b)mk; 
r := 3; 

for i := Q until b { 

r:= 2; 

}; 

var g\ reset{q; g)mk; 
var x; g{0; x)mk; 
var y; g{l; y)mk; 
add{x, y; z)mk] 

It is then possible to show that z:T \- s\> z: nat(/32(0) + /32(1)) is derivable in ID'^ where /32 is defined by 
the equations: 

/32(0)=3 
/32(5(0)=2 

We shall not detail the type derivation since it is rather technical. However, we have formally specified ID'^, 
FD'', the translation * and our encoding of shift and reset in Twelf [64]. Moreover, thanks to Twelf logic 

programming engine, those specifications are executable and we have mechanically checked the correctness of 
the above example (together with a few others from [75]). The interested reader is referred to [14] for more 
details. 
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Appendix A Properties of I and F 



A.l Basic properties of I 

Definition. The sets TZ{s), TZ{c) and J-T{e) of free identifiers (including both variable and constant identi- 
fiers) of a sequence, a command and an expression are defined by mutual induction as follows: 

- JT(y)-{y} 

- JT(*)=JT(g) = 

- JT(ei,...,e„)=JT(ei)U...UJT(e„) 

- ^(proc (in y;out z) {s}^) = II{s)\{y Uz) 

- 7T(inc(2/))=7T(dec(2/)) = {2/} 

- JT{{s}s)=JTis)Ux 

- TI{y:=e) = {y}^FI{e) 

- 7T(p(e;y)) = y U7T(e)u7T(p) 

- 7T(for y:=0 until e {s}g)=JT{e)[J{JT{s)\{y})[Jx 

- 7T(e) = 

- JT(c; s)=JT(c)U JT(s) 

- 7T(cst y = e; s)= JX(var y := e; s) = JT(e ) U (7X(s) \ {y}) 
A. 2 Translation from F to I and retraction 

Definition A.l. We define the translation of any term t of F into a term t^ of C by the following equations: 



x^ 


= X 




0' 


= 




5"(0)'' 


= S'"(0) 






= let a; = 


t^ in let a; = succ(a;) in ... let a; = succ(a;) in x 


{Xx.t)^ 


= Xx.t'^ 




pred(t)^ 


— let X = 


in let .T = pred(.T) in x 


rec{ti,t2,t3)'^ 


= let o = 


t\ in let h — t\ in let c = t\ in 




let z = 


rec(a, 6, Aa;.At/.let rf = c a; in let e = rf y in e) in ^; 


{t 


= let a; = 


t^ in let t/ = 'u'' in let r = a; y in r 


(let x=u in f)^ 


= let y = 


m'' in let a; = 2/ in 


(ii,...,in)^ 


= let xi = 


= t\ in ... let x„ = t)^ in (xi,...,a;„) 



Proposition A. 2. For any term t of F, we have t^GjC. 

Proof. Straightforward induction on t. □ 
Lemma A. 3. Given a term tGC and a fresh mutable variable tuple r we have r ^ J-V {{{t)p)p) . 
Proof. By induction on t. 
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= let ri = {wty in ... let r„= {wn)* in f 
We easily conclude since f does not occur in (w*)*. 

• ((let y = iu in u)^)^ 

= (est y = w^; (u)?)? 
= let y = {w'')* in ((u)?)? 
By induction hypothesis, r ^JV{{{u)'p)p), and f does not occur in (w*)*. 

• ((let y = succ(u>) in 

= (var z:=w;^; inc(z); est y = z: {u)^)p 
= (let z = succ(2;) in let y = z in ((u)^)i) [(t«^)7z] 
= (let z = succ((?L'*)*) in let y = z in ((u)?)^) 
By induction hypothesis, r ^ J-V {{{u)p)p) , and r does not occur in {w'^)*. 

• The case of pred is similar to succ. 

• {{let X =rec{w, w , Xi.Xy .t) in u)p)f 

= {var z:=iv; for i := until {est y = z; (t)|}?; cstx=z; (u)f)p 
= let 2 =rec((w^)^,z, Ai.Az.let y^ in ((t)|)i) in let in {{u)'i)p)[{w'')* /z] 

= let ^=rec((u;*)^(^z;^)*,AiAz.let in ((i)!)?) in let in ((«)?)?) 

By induction hypothesis, r ^ -^(((m)?)p), and f does not occur in {w'^)*, (w5*)* and ((t)|)?). 

• ((let X = w w in u)f)% 

= (var z; csta;=z; {u)f)f 

= (let z =(«;*)* (w*)* in let a;i = zi in ... let a;„ = z„ in ((«)?)?) [O/z] 
= let z={w'^)* («;*)* in let xi = zi in ... let Xn = Zn in ((m)^)* 
By induction hypothesis, f ^J-V{{{u)'f)p), and r does not occur in {w'^)* and («;*)*. 

• ((let a; = t in u)f )f 

= (var z; {(f)|}?; cstf = z; (m)2))1 

= (let z =((t)|)2 in let xi = zi in ... let x„ = z„ in (('u)?)p)[()/^] 
= let z={{t)g)g in let .xi = zi in ... let .t„ = z„ in ((u)r)f 
By induction hypothesis, r ^ J^(((m)p)p), and r does not occur in ((t)|)g). 

□ 

Definition A. 4. We define the reduction relation -» as the reflexive, transitive and contextual closure of the 
reduction ^ for arbitrary contexts. 

Proposition. We prove the following properties, which clearly implies {{t)f)p « t and if w = <S'"(0) or w = * 
then w*'^ = w else w** « w. 

• Given a term t&C and a fresh mutable variable r we have ((t)p)i-»f. 

• Given a value vgW, if w = £'"(0) or w = * then w*^ = w else w*'^ -» w. 

Proof. By mutual induction. 

• (S'"(0)<>)* = n* = 5"(0). 

• {y'^)* = y* = y- 

• (OT = ** = ()• 

• {{Xx.tf)* 

= (proc(in f ;out z) {(i)|}j)* 
= Ax.((t)|)i[()/z] 

= Af .((t)|)i since z ^ JV(((t)|)|) by Lemma A.3 
Xx.t by induction hypothesis. 

• {{wWf 

= (f :=«50;)S 

= let ri = {wi)* in ... let r„ = (w^)* in f 
{ivy 

-» w by induction hypothesis. 
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• {{let y = w in u)f )f 

= (est y = w^; (w)p)p 
= let y=Kr in 

let y = w in u by induction hypothesis. 

• ((let 2/ = succ(u>) in 

= (var z:=iv'^; inc{z); est y = z; (u)p)p 

= (let z = succ(z) in let y = z in {{u)p)p)[{w'^)* / z] 

= (let z = suee((w*)*) in let y = z in ((u)S)t) 

(let y = suee((w*)*) in {{u)^)i) since z^JV{{u)'i)i) 
-» let y = succ{w) in u by induction hypothesis. 

• The case of pred is similar to succ. 

• {{let X =Tec{'w,w ,\i.\y .t) in u)f)f 

= {var z:=w; for z := until {est y = z; (t)!}?; est a; =2; (m)?)? 
= let ^ = ree((w^)*,z, Az.Az.let in ((t)?)j) in let in {{u)^)*>)[{w^ 

= let ^ = ree((w^)*, (w^)*, Ai.Az .let y^z in ((t)|)j) in let £^ in ((w)?)?) 
^ letz=rec{{w-)*,{w-r,Xz.Xz.{{mt[g/y]) in ((^x)2)i)[z/x] 

let z = ree(z<;, tZ) , Ai.Az .t[z/2/ ]) in u[z /x] by induction hypothesis 
= let X = ree(w, w , Xi.Xy.t) in u modulo a-conversion. 

• ((let X = w w in u)^)f 

= (var z; w^(w^;z); esta;=z; {u)f)f 

= (let z = (ui*)* {w^Y in let xi = z\ in ... let a;„ = z„ in ((u)?)?)[()/^] 
= let z =(w*)* (w^)* in let a;i = zi in ... let a;„ = z„ in ((«)?)? 
^ let z = (w^)^ (w^)* in ((M)S)i[z/x] 

let z =w w in u[z /x] by induction hypothesis 
= let X = w w in u modulo a-conversion. 

• ((let X = t in u)f)f 

= (var z; {{t)s}s; cstx=z; (u)?))? 

= (let z =((t)|)g in let Xi = zi in ... let Xn = z„ in {{u)f)f)[{)/z] 
= (let z = ((i)|)g in let a;i = zi in ... let a;„ = z„ in {{u)f)p) 

letz=((i)|)| in ((m)^)?[z/x] 
-» let z = t in u[z/af] by induction hypothesis 
= let af = Mn u modulo a-conversion. 
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(t.env) 


i J i L \^ X. T 


T; a 1- g: nat 


(t.num) 


r;r2l-*:unit 


(t.unit) 


r;Q.\-e:T 
r;nh(e):(f) 


(t. tuple) 


z/0 r,y: a; z:\init\- s> z:f 


(t.proc) 


r;ni-proc (in y;out z){s}g:proc (in a; out f) 


T-n,n'\-£\>n' 


(t. empty) 


T;Q\-e:T T, y: r; f2 h s [> fi' 
r;r2l-cst y^e; s > ^l' 


(t.cst) 


r;fil-e:T T; fi, ?/: t h s > fi' y^fl' 


(t.var) 


r;fil-var j/:=e; s > fi' 


r;x:a\-s>x:f T; fi, f : f h s' > ft' 


(t. block) 


T; n, y: nat h s > fi' 


(t.inc) 


T; y: nat h s [> n' 
F; f2, 2/: nat h dec(j/); s > f2' 


(t.dec) 


r;n,y:a\-e:{f) T;^, y : f \- s > ii' 


(t. assign) 


T;Q,y:a\-y:=e- s[>^l' 


F; 0,a;: CT h e: nat F, j/: nat; a; : a h s > a; : a F; f2, a; : a h s' > f2' 


(t.for) 


T;fl,x:a\- for y := until e {s}^; s' > 0' 


F; 0,r :£Z) h p: proc (in f; out it) F; fi, f : h e : f F; fi, f : ct h s > fi' 


(t.call) 


F;n,f : w l-p(e;f); s>Q' 



Figure B.l. Alternative imperative pseudo-dynamic type system 



Appendix B Properties of IS and FS 

B.l Alternative pseudo-dynamic type system 

We first present in Figure B.l a different (but equivalent) formulation of the pseudo-dynamic type system 
which is easier to deal with when proving properties by induction on sequences. 



B.2 Preliminary properties 

Lemma B.l. // T,x:t;Q.\- s>Q.' and 0;0l-e:T in IS then T;Q.\- s[x<-e]>0.' in IS. 

Proof. Straightforward induction on s. □ 
Lemma B.2. // T;x:t,Q\-s[> x: a, O' in IS then T; y: r, fih s[x <^ y]l> y: a, Q' in IS. 
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Proof. Straightforward induction on s. □ 
Lemma B.3. // F; f2 h s > fi' in IS then for any x: a, r,x:a;^\-s> ft' and T;^l,x:a\-s>il' in IS. 
Proof. Straightforward by induction on the typing derivation. □ 
Lemma B.4. If ij,t>Q and 0;OI-e:r m IS and e=^w, then we have 0;0l-ti;:T m IS. 

Proof. The case e = w is trivial and if e is some variable x G Cl then by definition of /U > O, we have 0; 
1- = w: T. □ 

B.3 Reduction preserves typing 

Theorem. For any state (s, /i), Q and z, if z:f \- {s, /x) [> f2 in IS and {s, fx) {s', /x') then there exists f' 
such that z: r ' h (s', /i') \> in IS. 

Proof. By induction on the derivation of (s, /it) i— ^ (s', /x'), and then by analysis of the typing derivation. 
• (s.BLOCK-i): we have /iC> A,x:f and 



<1);x:t\-s>x:t 0; A, f : f h s > A' 
0; A,x:fl-{}g; s > A' 

then we get 0; A, x : r h s t> A' hence [> A, x : f and A, a; : f h (s, /i) t> A'. 
(s.BLOCK-ll): we have fj,>A,x:a 

9;x:a\-si>x:f 9; A,x:f\- S2 > A' 
9;A,x:ah{si}g; S2 t> A' 

By induction hypothesis on x: a \- (si, fj,) t> x : t , we obtain x: a'\- {s'l, [> x:f which gives us 0; x: 
Sit> x:f and jj,' t> A,x:a'. We can build the following typing derivation to conclude: 



(s.VAR-l): we have > f2 



li;x:a'\- s[t> x:f 0; A, f : f h s [> A' 
0;A,x:CT'h{si}s; S2 > A' 



then we get 0; O h £ > O. 
(s.VAR-ii): we have fj,> A and 



i;n^e:T 0; f^, y: t h £ [> Q 
0; n h var y:=e; £ [> Q 



0;AI-e:r 0; A, y: r h s > O y^Q 
0; A h var y:=e; s [> O 

By Lemma B.4, /U > A and 0; A h e: r and e =^ w implies 0; h w: r. By definition of store typing, (/x, 
y ^ w) \> A, y: r. By induction hypothesis, since A, y: t h (s, (/i, y w)) [> is derivable, wc obtain F, 
y: (T h (s', (/x', y ^ w')) > f2 which implies 0; F, y: a h s' [> with (/x', y ^ w') = F, y: a. This last asser- 
tion trivially implies 0; F h w': a by definition of store typing. We can then build the following typing 
derivation to conclude: 

0;FhM;':a 0; F, y: a h s' [> y^n 
0;FI-var y:=w'; s'[>0 

• (s. assign): we have fx[> A,y:a and 

0; A,y:a\- e: (f ) 0; A, y : f h s [> A' 



•,A,y:a\-y:=e; s > A' 
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then we get 0; A, y : f h s > A'. By Lemma B.4, /z > A, y : a and 0; A, y : a h e: (f ) and e =^ (w) implies 
0;0l-ti5:f . Then, by definition of store typing, we obtain w] [> A,y:f. 

(S.INC): we have /i > A, y: nat and 

0; A,2;:natl-s[> A' 
0; A,y:natl-inc(i/); soA' 

then 



!);A, y:natl-g+l:nat 0; A, y: nat h s > A' 



0; A, y:natl-y:=g + l; s > A' 

(s.DEC): similar to above. 
(s.CALl): we have /il> A,r:w and 

0; A,r:a;l-p:proc (in f ;out (?) 0;A,r:d}|-e:f 0; A, r : a h s > A' 

0; A,r:a; |-p(e ,f); s[>A' 

By Lemma B.4, ^ [> A, f : tJ and 0; A, f : w h e : f and e =^ w imphes 0; h w: f . Still by Lemma B.4, 
IJ. l> A, r: Co and 0; A, f : w h p: proc(in f ; out ct) and p =n proc(in y; out a;){s'}g implies 0; 
0l-proc(in y;out ^){s}£: proc(in f;out a), that is 

^7^0 0; y:f?;S':unitl-s'l>:r:(T 



0;0l-proc (in y;out af){s'}£: proc(in r; out a) 



By Lemmas B.l and B.2, 0; y : a; a; : unit \- s' [> x:a and 0; h u;: f implies 0; r : unit h s'[y ^ w] [x ^ 
f ] t> f: a. By definition of store typing, we have /i[f ■<—*][> A, f: unit and we can then build the fol- 
lowing typing derivation to conclude: 

0; f : unit h s'[y ^ 'w][x -(r^ r] [> f : a 0; A, f : h s [> A' 



9; A, f: unit\- {s'[y ■^w][x ■(r^f]}s;; s>A' 

(s.cst): we have fj,> A and 

0;AI-e:r y:T;A\-s\>n 



; A h est y = e; s > 



By Lemma B.4, /i > A and 0; A h e: r and e =n w implies 0; h ui: r. By Lemma B.l, y: r; A h s > Q 
and 0; 0l-t«:T implies 0; Ah s[y^ w] > CI. 

(s.FOR-l): we have iJ.[>A,x:a and 

0; A, a;: (7 he: nat y: nat; x : h s > x : ct 0; A, a; : a h s' > A' 



0; A,x:d\- for y := until e {s}g; s' > A' 

We have immediately 0; A, af : h s' [> A'. 
(s.FOR-ll): we have ^>A,x:a and 

0; A, a;: (7 he: nat y: nat; x : a \- s t> x : a 0; A, af: a h s' > A' 
0; A, X : (T h for y := until e {s}g; s' > A' 

By Lemma B.l, y: nat; x : h s > x : and 0; h g : nat implies 0; x : h s[y g ] > x:a. We can then 
build the following typing derivation to conclude: 



; A,a;: (T h 5: nat y: nat; x : a \- s t> x : a 9; x : a \- s[y <— q]> x: a 

0;x:i7hfor y:=0 until q {s}g; s[y -i^ q] r> x : a 0; A, f : a h s' > A' 

0;A,f:CTh {for i/:=0 until g {s}^; s[yi- q]}g; s'>A' 

□ 
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B.4 Progress 

Proposition. For any state (s, /u), and z, if z:t \- (s, /i) [> O in IS then either s = e and no more reduc- 
tion can occur, or there is a state (s', fi') such that (s, jj,) i— >■ (s', yit'). 

Proof. By induction on ^: r h (s, /x) > f2. 

• s = s: then we are in the first case. 

• s = (est y = e; si): if e = a; then by definition of state typing, x S dom{i2) ; we then have ((est y = e; 
si),fj,)^{si[y^ip^{e)],ii)). 

• s= (var y := e; Si): if e = x then by definition of state typing, x G dom{ii) ; by induction hypothesis 

on z: f , y: r h (si, {n, y^if^{e))) \> Vt, y.r', we have either si = e or (si, y^ <y£'^(e))) ^ (s^, (^', 
w')) ; in the first case, we have ((var y := e; e), /x) (e, /x), and in the second case we have ((var y := 
e; si),/x)n>((var y:=w'; Si),/i')- 

• s = ({si}?'; S2): by induction hypothesis on z': a h (si, /x) [> 0': ct', we have either si = e or (si, /x) 1-^ 
{s'l, fi') ; in the first case, we have (({}?'; S2), /x) (s2, m)) a^^d in the second case we have (({si}?'; 

s2),Ai)i->(({sl}s'; s2),/i')- 

• s = (inc(y); si): by definition of state typing, y e dom{iJ,) ; we have ((ine(y); si), /x) 1— > ((y := g+ 1; 
si),/x). 

• the case for dec is similar to ine. 

• s = {y := e; si): if e = a; then by definition of state typing, x G dom{i^), hence e =^ {w) can always be 
derived ; we have ((y := e; si), fi) 1— )■ (si, /i[?7 w]). 

• s = (j3(e; r); si): if = a; then by definition of state typing, x S dom{iJL), similarly for p ; we have 
((p(e;r); s), /;x) i-> (({s'[y ^ w5] [z ^ r s),^[r^*]). 

• s= (for 2/ := until e {si}?'; S2): if e = x then by definition of state typing, x G dom{ii) ; either 
e and ((for y := until e {si}?'; S2), '-^ (■52, m), or e (5 and ((for y := until e {sijj'; S2), 
/x)i-s- (({for y:=0 until g {si}u'\ Si[y^g]}?'; S2),/x). □ 

B.5 Expressiveness 

Definition B.5. The translation of a type t € Efs into a type G Sps is defined by the following rules: 

nat^ = nat 
unit = unit 

(nX... XT„)^ = (ti^X... XT^) 

Proposition B.6. For any functional term t, if T\-t:T in FS then T'^\-t^:T'^ in FS. 

Proof. Straightforward induction ont. □ 
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Appendix C Properties of ID^^^ and FD^^^ 



C.l Alternative dependent type system 

We first present in Figure C.l a different (but equivalent) formulation of the imperative dependent type 
system which is easier to deal with when proving properties by induction on sequences. 



C.2 Preliminary properties 

Lemma C.l. If T,x:t;Q.\- s> Q' and %;^\-e\T in ID then T; O h s[a; e] > fi' m ID. 

Proof. Straightforward induction on s. □ 
Lemma C.2. // F; a;: r, f2 h s > a;: a, in ID then T\ y: t ,^\- s[x -ir^ y\\> y: a in ID. 

Proof. Straightforward induction on s. □ 

Lemma C.3. // F; h s > in ID then for any x: a, F, x: cr; O h s > O' and T;Q.,x:a\- st>Q.' in ID. 

Proof. Straightforward induction on the typing derivation. □ 

Lemma C.4. If fi^Q and e-.r in ID and e=nW, then we have 0; h w: r in ID. 

Proof. The case e = w is trivial and if e is some variable x € CI then by definition of /U > O, we have 0; 
0\- H{x)=w:t. □ 

C.3 Translation from ID to FD 

Theorem. (Soundness for ID ). For any environments F and O, any expression e, any sequence s we have: 

- F; Q h e: T m ID implies T*, Q* h e*: r* in FD. 

- T;Ct\-s>z:a in ID implies T*, 0*1- {s)i: a* in FD. 

Proof. We proceed by induction on the typing derivation: 
• (t.env) 

y:TGT,fl 
T;Q^y:T 

Indeed, 

y:T*€T*,n* 
T*, n* h y: T* 



(t.num) 



Indeed, 



(t. tuple) 



r;Ohg:nat(s«(0)) 
F*,f2*hO:nat(0) 

r*,O*h59(0):nat(s9(0)) 

F; O h e:f[u/t] 
r;0h(e):3J(T) 
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r;QI-a;:r 



r;ni-g:nat(s«(0)) 

\-en = m 
T;^l\- * : n — m 

r;^l\-e:f[u/i:] 
r;nh(e):3J(f) 

r, y : a; z: Th s > 2: f 



r;f2l-proc (in y;out a){s}j:proc Vz (in o';out f) 

T;n\-e':T[n/i] T;n\-e:n = m 
r;Q\-e':T[m/i] 

T; n h s > n'[n/i] r;Q\-e:n = m 
r;Q\-sl>Q'[m/i] 

r;ni-e:T T, y: r; h s > fi' 



r;<2; 



T; fi h est 2/ = e; s > fi' 



TjOhvar j/:=e; s > fJ' 

r;x:f\-s[>x:a T-^l, x : a \- s' > ii' 
r;n,x:f\-{s}x;s'>n' 

r;n, ?/:nat(s(n))l-sl>n' 
F; Q, y: nat('R) h inc(y); s[> fl' 

r;n,y:nat{p{n))\-sr>n' 
F; Q, y: nat(n) h dec(y); s > f2' 

r;n, y:al-e:3r(f) F;Q, y: t \- s> n' 
F;Q,y:a\-y ■.= e; s>Q' 



F; f2,x: (T[0/i] h e: nat(n) F, j/: nat('t); x: a\- s> x: a[s{i)/i] F; f2,x: a[rt/i] h s' l> fl' 
F; n, a : [0/i] h for j/ := until e {sjs; s' > 0' 

F;fl, f :w hprproc Vr(in CTjOut f ) F; n, f : tD h e : ff[w/r] F; fi, f : f [w/z] h s > f2' 

F;Cl,f:Q l-p(e; f ); s > n' 



T.ENV) 

t.num) 

T. equal) 

T. tuple) 

T.PROC)* 

T.SUBST-l) 

T.SUBST-Il) 
T. empty) 

t.cst) 

t.var) 

T. block) 

T.INC) 

T.DEC) 

T. assign)* 

t.for)* 
t.call) 



*where i ^ J^(r) in (t.proc) and i ^ ^(F) in (t.for) 
and I ^ JV(F, Q, Q') in (t. assign) 



Figure C.l. Alternative imperative dependent type system 

Indeed, 

T,n^e*:f*[u/i] 



r,r2he*: 3J(f) 

(t.subst-i) 

F; f2 h e': T[n/i] T;n\- e:n = m 



r;Ohe':T[TO/i] 
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Indeed, 



(t. equal) 



Indeed, 



(t.subst-ii) 



Indeed, 



(t. empty) 



r*,f2*he' :r[n/i] T*, fi* h e*: n = m 
r*,0*he'*:r[m/i] 

\-en = m 
F; f2h * : n = rn 

\-sn = m 



r*, Q* h : n = TO 

F; h s [> z: a[n/i] r;ril-e:n = TO 
F; f2 h s > z:a[m/i] 

F*,f2*h(s)J:CT*[n/i] F;f2he*:n = TO 
F*,fi*h(s)|:(T*[TO/i] 



T;fl,z: a \- e> z: a 

T,n,z:a*hz:a* 

T;Cl\-e:T T,y:T;fl\- st> z:a 
F; Oh est y = e; s\>z:a 

F*,Q*he*:r* F*, y: r*, 0* h (s)|: ct* 
F*, O* h let 2/ = e* in (s)| : ct* 

F;OI-e:r F; O, y: r h s > z : ct 
F;f2l-var y:=e; s t>z:a 

Indeed, by the substitution lemma, 



Indeed, 



(t.cst) 



Indeed, 



(t.var) 



(t. block) 



Indeed, 



(t.inc) 



Indeed, 



and 



(t.dec) 



T*,n*h{s)l[e*/y]:a* 

T]x:t \- s\> x: a' r;Q,,x: a' \- s' t> z: a 
T;Q,x:t \- {s}g;s' > z:a 

T*, x: f *h (.s)i: (f '* F*, 0*, x: d'*^{s'Yr.a* 
F*, ^*,x: f* h let f = {s)*g in {s%: a* 

T: v.. tj: nat(s(;;jj h L> ?: n 
F; O, y: nat(n) h inc(t/); st>z:a 

F*, O*, y: nat(n) h succ: Va;(nat(a;) nat(s(a;))) F*, Cl*, y: nat(n) h y: nat(n) 
F*, f2*, y: nat(n) h s\xcc{y): nat(s(n)) 

F*, O*, y: nat(n) h succ(y): nat(s(n)) F*, O*, y: nat(s(n)) h (s)|: a* 
F*, O*, y: nat(n) h let y = succ(y) in (s)|: a* 

F; ri, y: nat(p(n)) \- s\>z:a 
F; O, y: nat(n) h dec(y); s>z:& 
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Indeed, 

r*, n*, y. nat(n) h y: nat(n) 



r*, O*, y: nat(n) h pred(y): nat(p(n)) r*, f2*, y: nat(p(n)) h (s)J: ct' 

r*, Q*, y: nat(n) h let y = pred(j/) in {s)%:a* 

(t.assign) 

r;0,y:CTTe:3J(T) T; fi, y : r h s > ^: ct 



F; fi, y : (T'h y := e; s[>z:a 

with J ^ JV(r,J7,a). Indeed, 



r*, n*, y: a'* h let y = in (s)|: ct* 

since JV(r*,0*,(T*). 
(t.for) 

F; O, ^ : CT[0/i] h e: nat(n) T, y: nat{i);x:a h s [> x:a[s{i)/i\ T; Cl,x:a[n/i] \- s'[>z: a' 
F; Q,,x:a[0/i] hfor y := until e {s}^; s'> (?' 

with JV(r). Indeed, 

F*, n*, X : a*[0/i] h e*: nat(n) F*, Q*, x: a*[0/i] h f : {a*[0/i]) F*, nat(i), f : ct* h (s)J: (CT*[s(i)/i]) 

F*, n*, f : (T*[0/i] h rec(e*, f , Ay.Af .(s)t): (?*[n/i]) 

since ^^/'(F*), and then 

F*, n*, x: a*[0/i] h rec(e*, x , Xy.Xx.{s)%): {a*[n/i]) T*, n\ x: a*[n/i] h (s')|: a"" 
T*,n*,x:a''[0/i]\-let X =rec{e*,x,Xy.Xx.{s)%) in (s')|:<?'* 

(t.proc) 

z=f={ti T,y:a;z:T\- s[>z:t 



F; h proc (in y ; out z ) {s}g: proc V?(in a; out f ) 

with r ^ JV(F). Indeed, 

V\y:&\z:f^{sYr.T* 
T\y:a*^{s)t[{)/A--r* 
T*^Xy.{s)t[{)/z]:\li{S*^T*) 
F*, f]* h Ay [Q/z]: Vr(a* ^ f^) 

since r^7V(F*). 
(t.call) 

F;ri,r:a}l-p:proc Vr(in f ;out (?) F; fi, f : tJ h e : f [u/?] F; O, r :(?[{*/?] h s > z: a' 

F; O, f : w \-p{e; r)\st> z:d' 

Indeed, 

F*, f2*, f : h p*: Vr (f * ^ a*) F*, O*, f : tJ* h e *: (f *) [n /r ] 



F*, O*, r : h (p* e *): CT*[n/r] 

and then 

F*,Q*,f:w*h(p* e^):a^[n/r] F*, r : a*[n/r] h (s)i: a 



F*,0*,r :w*l-let ?=p* in (s)t:CT' 



□ 



35 



C.4 Translation from FD to ID 



Notation C.5. The following typing rules are derivable. 

T;Q,y:f\-s>fl' 
T; O h var y; s >Q' 



T;n\-w:T r;n,y:T\- sl>n' 
F; f2 h var y := ?«; s l> f2' 

T;Q,,z:t\- est y =z; s > fi' 

F; O, y : CT h tZ;: f F; O, y : r h s [> f2' 
T;fl,y:a\-y ■.= iS; s>0' 



Lemma C.6. For all t G £„, if T\-t:T then r = (ui A ... A (T„) /or some cti, cr„. 

Proof. By induction on t S £„. 

• t = v G £„: by definition of u e £„, we have v = {wi, Wn), hence the typing derivation of F h u: r ends 
with: 

T'h iri: (7i[m /T] ... F r a, , [;»,/**] 
F h (wi, w„): 3r.(CTi A ... A cr„) 

• t = let X = u' in u e for any u': by definition, we have in all cases u G £„. By induction hypothesis, 
we have F h u: (cti A ... A o-„) and the typing derivation of t ends with: 

FI-«':3J.f F,^ : f hu: ((71 A ... A(T„) 
Fh let X = u' in u: (in A ... Ao-„) 

□ 

Theorem. 

• Given a term t G sttc/i f/iai F h t: (cri A ... A (t„) in FD with F, <? G SpD 'f^'^ a fresh mutable variable 
tuple (ri,...,r„) of any type a' ^Y^yo we /laue F^; r: ct' h > (ri: CTi, r„: (T„o) m ID. 

• Given a value i; G V sitc/i i/iai T \- v: a in FD m^/i F, a G Sfd, for any environment Q. we have F^; 
Ohu*:CT* m ID. 

Proof. By mutual induction on T\-t:a and T\-v:a, and by case analysis of the translation. 

• x'^ = x 

V^x:a 

Indeed, 

x: c7*eF* 
F«; O h a;: C7« 

FhO:nat(0) 



Fh5"(0):nat(s"(0)) 

Indeed, 



F*;nhn:nat(s"(0)) 
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Indeed, 



rh ():(n = m) 



r*;Oh*:(n = m) 
{Xx.ty — proc (in x;out z) where z ={zi,...,Zm) and t&Cm- 

T,x:T\-t:a 



With t ^ J^(r). By lemma C.6, t G Cm and T, x: t \- t: a implies a = (cti A ... A am)- By induction 

hypothesis, F, ^ : f h implies F*, ^ : r*; ^: ct' h f| t> ^: ct* for any a', hence F*, x : r*; ^ : T h f| > ^: ct*. 
Since TV (F), 

r^,x:r^;z:f ht|[>z:CT^ 
r^;|-proc (in a;; out z) proc Vr(in f ^; out a^) 

and, for any O, r*;f2l-proc (in if; out z) {tljjiproc Vr(in f*;out ct*), by weakening (Lemma C.3). 
(M;)^=f 

FI-wi:(Ti[n/r] ... T\-Wm--a'm[n/t] 
Fhw: 3r.(T 

Indeed, by induction hypothesis, F h ti;^: ai[n/i] implies F*; O h wf: aflft /t] for any f2, hence F*; f : 
CT'hwf:(Tnn/?]. Then 

F*; r : a' h w*: a^in/i] F*; r : a*[n/r] h e > r : 3? .ct* 
F«; f : ct' h f := > f : 3?. a* 

Fhz;:T[n/i] Fhw': (n = m) 
r h w: T[m/z] 

Indeed, by induction hypothesis, F h v: r[n/i] implies F*; f2 h v*: r*[n/i] and F h v': (n = m) implies F*; 
O h u'*: (n = m) for any f2, then 

F*;f2ht;*:r^[n/i] F^; f7 h i;'*: (n = m) 
FO;nhi;0: rO[m/i] 

r\-t:3j.a[n/i] r\~v':{n = m) 



Fhi: 3J.a[m/i] 

Indeed, by induction hypothesis, F h t: <? [n/z] implies F^; r : f ' h (i)^ > r : 3J.(T*[n/i] for any f ' ; F h v': 
(n = m) implies F*; f2 h u'*: (n = m) for any fi, hence F*; r : f ' h u'*: (n = m) ; then 

F*; f : f' h (i)S [> 7^: 3J.CT^[n/i] F<^; r : r ' h u'*: (n = m) 



FO; f : f ' h (f)2 > r : 3J.CT*[m/i] 

(let y = w in u)^ = est y = w*; (u)p 

T\-w:t T,y:T\-u:3t.a 



Fh let y = w in u: 3i.a 

Indeed, by induction hypothesis: 

o F h «j: T implies F*; f2 h w*: for any O, hence F*; f : ct' h w*: ; 

o F, y: T h u: 3?.ct implies F*, y: r*; f : a'\-Uft> 3i.f: ct*. 
Then 

F*; f : a' h w*: F*, y: t"; r : ct' h [> 3r.r : a' 



F*; f : h est y = (u)^ [> 3r.f : ct^ 
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(let y = succ{w) in m)^ = var z:=w'^; inc(z); est y = z; {u)f 

ri-succ:Va;(nat(a;) ^nat(s(a;))) ri-w:nat(n) 

r h succ(w): nat(s(n)) r, y: nat(s(n))) h u: 3i .a 

rhlet y = succ{w) in u:3i.a 

Indeed, by induction hypothesis: 

o r h nat(n) impUes F*; fl h w*: nat(n) for any Q, hence F^; r : a' h w^: nat(n) ; 

o F, y: nat(s(n)) h u: 3t.a implies F, y: nat(s(n)); r : ct' h u > 3i.f: ct*, and, by Lemma C.3, F* 
nat(s(n)); r: a', z: nat(s(n)) h > 3i.f: ct*. 

Then 

F*, y: nat(s(n)); f : a', z: nat(s(n)) h (u)^ > 3i.r: a" 



F*; r : a', z: nat(s(n)) h est y = z; {u)f [> 3i .r: ct* 
F*; f : ct', 2:: nat(n) h inc(2r); est y = z; (u)p>3?.f:a* 

and 

F*;f w*:nat(n) F*; f : ct', 0: nat(n) h inc(2;); csty = 2;; {u)f \> 3i .r : a" 
F*; f : (t'I- var 2; := w*; inc(2;); csty = 2:; (m)^ > Bf.f : ct* 

(let t/ = pred(w) in m)^ = var z:=w''; dec{z); est y = 2;; {u)% 

Fl-w:nat(n) 
F h pred(w): nat(p(n)) F, y: nat(p(n)) h «: 3i .5 
Fhlet y = s\icc{w) in u:3f.CT 

Indeed, by induction hypothesis: 

o T\-w: nat(n) implies F*; f2 h w*: nat(n) for any f2, hence F*; r : h w*: nat(n) ; 

o F, y: nat(p(n)) h «: 3i .& implies F, y: nat(p(n)); f : a'\-u> 3i .r: ct*, and, by Lemma C.3, F* 
nat(p(n)); f : a', z: nat(p(n)) h (u)p > 3i.f: a^. 

Then 

r^, y. nat(p(n)); r : <?', z: nat(p(n)) h {u)p > 3i*.f : 



F^; r : (?', z: nat(p(n)) h est y = z; (m)^ > 3r.r : a* 
F*; f: (?', 0: nat(n) h pred(z); cst?/ = z; (m)^ [> Bf.f : ct* 

and 

F*; f : ct'I- w*: nat(n) F*; f : ct', 2;: nat(n) h pred(z); csti; = 2;; (u)p>3r.r:a* 
F*;f:a'l-var 2:=w*; pred(2:); cst2/ = z; > Bf.f : ct* 

(let X = rec{iv, u5, Xi.Xy.t) in m)p = var 2 := u5; for i := until tz;* {est y = z; est x = 

(«)2 

Fl-w:nat(n) Fl-w:f[0/j] F, i: nat(j), y : f h i: f [s(j)/j] 

F h ree(t«, w , Xi.Xy .t):f[n/ j] F, ^ : f [n/j] h u: 3i.a 

F h let a; = ree(w, w , Xi.Xy.t) in u: 3?.? 

with j ^TV{T). Indeed, by induction hypothesis: 

o T\-w. nat(n) implies F*; fl h w*: nat(n) for any fl, hence F*; f: a', z: T*[0/j] h w*: nat(n) ; 

o Fht3:T[0/j] implies F*; O h t3*: r*[0/j] for any O, hence F*; f : a'h tZ;*: T*[0/j] ; 

o T,x:f[n/j] \-u:a implies F*, a; : f *[n/j]; f : ct'I- (u)p [> 3r.f : and, by Lemma C.3, F*, x: f * 
j]; f : <?', ?: f *[n/j] h (u)2 > 3r.f : ; 

o F, i: nat(j), y-.rht: f[s{j)/j] implies F^, i: nat(j), y: f*; z: f ' h f| > 2: T*[s(j)/j] for any 
hence F*, i: nat(j), y:T^;z:T^h4>z: 7^[s{j)/j]. 
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Then 

^ ro, i: nat(i), j^: r^; : h t| > g: r[s{j)/j] 

T^,i:nat{jy,z:T^hcsty=z; > z : T^[s{j) / j] 

and 

r*, S: f*[n/j]; f : o", z: f*[n/ j] h > 3t.f: a" 
r«; f:d',z: f*[n/j] h est f = [> 3?.f : ct* 

and 

r*;r:a',z:f*[0/j]hw*:nat(n) tti 7r2 
~ ro; f:CT',?:f*[0/j]l- for i:=0 until {est y=^; estf = ^; (u)^i>f:(T* 

since j ^ JV(r*), and finally 

r*;r:a'hw;*:f*[0/j] tt 
r*;f var :=«;; for i := until {est y = ^; estx=z; (m)^ [> 3?.r : ct* 

(let X = w w in m)^ = var z; w^{w'^]z)-, est x =z; (m)^ 

rhu;:V?(f ^3j(f ')) rhw;:f[n/?] 

rhu; M;:3j(f'[n/?]) T, x : f '[n/r] h u: 3k.ct 

r h let af = w w in w: 3k .a 

with y ^ J-V(r, a). Indeed, by induction hypothesis: 

o r h w: Vr(T 3j (f')) implies F*; f2 h w^: proe V?(in r^; 3j out r'^) for any fi, hence F*; r : ct', 
^: T h w*: proe Vr(in f 3J out f ; 

o rht3:f [n/?] implies r*;nhw*:r*[n/?] for any O, hence F*; f : ct', f h f *[n/r] ; 

o F, x: r'[n/?] h u: 3k. a implies F*, r'*[n/?]; f : a'h {u)f > 3/t .f : ct*, and, by Lemma C.3, F*, 
T'*[n/r]; f : ? ', z: r'*[n/?] h (u)^ > 3k. r: a". 

Then 

_ F*, x: f ""[n/r]; f : ', z : f '^[n/?] h (u)? > 3k .f: a* 
FO;f:CT',?:f"'[n/r]hcst f = > 3k .r : a* 

and 

F*;f:(T',f:f hw;*: proe V?(in r*;3J out f'*) F*; f : ct', ^: f h f *[n/?] tt 
r*;r:(7', z:Thu;^(w'^;z); cstf = z; [> 3k .r : ct* 
F*; r : (t'I- var z; ■U)*(w5*; ^); estx=^; (u)^ > 3k .r : ct* 

since J^7V(F*,ct',ct). 

(let X =t in m)^ = var 0; {(t)!}?; est:r=0; (u)^ 

FI-f:3K.f T,x:f\-u:3i.& 
F h let :r = t in u: 3i .a 

Indeed, by induction hypothesis: 

o T \- t: 3k. f implies F*; z: t' h (t)| > 3k. ^: for any f ', hence, by Lemma C.3 F*; r : ct', 0: 
f h(t)|>3K.?:r* ; 

o F, af : f h m: 3?. a implies F*, x : r*; f : ct' h (u)^ > 3r.f : ct*, and, by Lemma C.3, F*, x : f r:a',z: 
f*h(w)^>3?.f:CT*. 

Then 

F^ f : T^; r : d", z : f ^ h (m)S > 3r.f : a* 



F*; r : a', z : f h (t)| > 3k .z: f * ^O; f : ? ', z : h est x = z ; (u)2 O 3? .f : 
FO;f :(T',z:f h{(i)|}g; estf = z; (u)^ > 3r.f : ct* 
F*;f :CT'l-var z; {(t)|}j; cstx=z; (u)^ > 3?.f : 
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□ 

C.5 Expressiveness 

Definition C.7. The translation of a type r G Sfd<: into a type e Sfd<: is defined by the following rules: 

nat(n)'' = nat(n) 

(n = m)'' = (n = m) 

(Vr(CT^T))'' = Wia'^^T^) 

(3r(riA...AT„))^ = 3z-(T^A...Ar^) 

±^ = ± 

Proposition C.8. For any functional term t, if T\-t:T in FT)'' then r^\-t''^:T^ in FD'=. 

Proof. Straightforward induction on t. □ 

C.6 CPS translation 

Lemma C.9. The following typing rules are derivable in FT): 

T\-u:(p r\-u:\^ip T,x: (p\-t:S/4' 



r h val u: Vf r h let val x = u in t: Vtp 



Proof. Indeed, 



and, 



r,z:(p^o\-z:ip^o T\-u:(p 
r,z:ip=^o\-zu:o 
T\-Xz.{z u): (<^=>o) =>o 

T , z: tl) => o, x: (p\- 1: {ip o) o T, z: tp=^ o,x: (p\- z: tp=> o 

r\-u:{ip^o)^o r,z:%l^^o,x:tp\-{tz):o 



r , z: ^ ^ o\- u: {(fi ^ o) ^ o T, z: ip=> o\- \x.{t z): o 

V , z: ij} ^ o\- {u Xx.{t z)):o 
r h Xz.{u Xx.{t z)): (V' =^ o) o 

Lemma C.IO. Abbreviations callcc and throw are typable in FT) as follows: 

calico : {{ip°^o)^V(p°)=>yip° 
throw : {{ip° ^ o) A (p°) ^ V ip° 

Proof. Indeed (with T' = T, h: {<f° =^o)^ {{<f° =^ o) => o),k: ip° ^ o), 



□ 



r'h/i: (y°=»o)^ (((^°^o)^o) r'|-fc:v°=>o 



T'\-{hk):{ip°=^o)^o T'hk:ip°^o 
r'h(/i k k):o 

r, h: {(p° => o) ^ ((<^° => o) => o) h Xk.{h k k): {ip° ^ o) ^ o 
r h Xh.Xk.{h k k): {{ip° o) ((<^° => o) => o)) o) o 
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and, 



r, fc: o, a: ip°, k': ^ o\- k: ip° ^ o T,k: (p° ^ o,a: ip°,k': ijj" ^ oh a: (p° 

r, fc: y° o, a: ip°,k': ip" ^ o\- k a: o 
r, k: (p° =^ o, a: (f° h Xk'.{k a): ^0)^0 
r h A(A;, a).\k'.{k a): (((^° => o) A ip°) ^{il)°^o)^o 



C.7 Labels and jumps 

Proposition. The following typing rules are derivable. 

r;O,0:fhfc:{s}?; s'>Q.' 

F; f2, z : r h /c: ^(7 F; f2, z : r h e : (J 
F; f2, z: f h jump(fc, e)^\>^l' ,z:Q' 

Proof. Indeed, given the type of callcc and throw, we have 

F, k: —'G; z:t\- s\>z:a 
T,z':f,k: -^a; z:f\-st>z:a 

T,z':f,k:-'a;z:T\-z:=z'; st>z:& 
F, z': f; Q.,z:t\- proc (in fc; out z) {z := z'; s}^: proc (in -ict; out a) F; fl,z:a\- s't>Cl' 
F, z': r; O, z: T h callcc(proc {in k;out z) {z := z'; s}s;z); s't>Q' 
F;0,z:f hcst z' = z; callcc(proc {in k;out z) {z := z'; s}j;z); s'l>f2' 

F; fi, z: f h fc: F; fi, z : f h e: 
F; O, z: r h throw(fc, e; z) t> z:Co' 



41 



Appendix D Examples of imperative programs 



In this appendix, we adopt Prawitz style natural deduction for proof trees. Moreover, we will use the substi- 
tution rule (in both functional and imperative typing derivations) without explicitly displaying the equations, 
but only its number. 

To begin with, we recall usual axioms of Peano's arithmetic for + , x : 

(1) x + = X 

(2) x + s{i) = s{x + i) 

(3) xxO =0 

(4) x X s{i) = {x xi)+x 



D.l Multiplication 



D.l.l Multiplication in FD 

Let Vs be the derivation: 



Then: 



arfd: Vp(nat(p) ^ Vg(nat(g) nat{p+ q))) z: nat(n x u) 
{add z):yq{nat{q) nat(n x u + q)) 



{add z x): nat((n x u) + n) 



{add z x): nat(n x s{u)) 



0:nat(0) 



-(3) 



x: nat(n) 



-(4) 



y: nat(TO) 0: nat(n x 0) 
rec(y, 0, Xi.Xz.{add z x)): nat(n x m) 
\y.rec{y, 0, Xi.Xz.{add z x)): Vm(nat(m) nat(n x m)) 
Xx.Xy.rec{y, 0, Xi.Xz.{add z a;)): Vn(nat(n) Vm(nat(m) ^ nat(n x m))) 



D.l. 2 Multiplication in ID 



est mult = proc (in X,y;out Z) { 

Z:=0; 

for J:=0 until Y { 
add{Z, X; Z); 

}z; 



{X:nat{x),Y: nat{y))[Z: T] 
[Z: nat{x x 0)] by (3) 

— (/: nat(z))[^: nat(a; x i)] 
I [Z: nat{x x s{i))] by (4) 
[Z: nat(a: x y)] 



{mult: proc Va;, y{in nat(a;), nat(y); out nat(a; x y))) 



D.2 Factorial 

Here follows the equations defining the factorial function: 



(1) 0! = s(0) 

(2) s(n)! = nix s{n) 
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D.2.1 Factorial in FD 

Let Vs be the derivation: 



mw/i: Vn(nat(n) = 


^ym{nat{m) = 


> nat(n x m))) z: nat('u!) 


i: nat(u) 


{mult 


2;): Vm(nat(m) 


nat(u! X m)) 


s{i): nat(s(w)) 




{mult z 


s{i)): nat(u! x s{u)) 






{mult 


z s{i)): nat(s(u)!) 





(2) 



Then: 

l:nat(s(0)) 
x:nat(p) l:nat(0!) 

rec(.T, 1, \i.\z.{mult z s(i))): nat(p!) 
Aa;.rec(a;, 1, Xi.Xz.{mult z s(i))): Vn(nat(p) nat(p!)) 

D.2.2 Factorial in ID 



est fact = proc (in X;out Z) { 
Z:=l; 

for 7:=0 until X { 
var Y := I; 
inc(y); 
mult{Z,Y-Z)- 

}z; 

}z; 



(X:nat(n))[Z:T] 

[Z:nat(0!)] by (1) 

-(/: nat(i))[Z:nat(i!)] 
I [y:nat(*)] 
I [r:nat(s(z))] 
I [Z:nat(s(z)!)] by (4) 
[Z: nat(n!)] 



(/ac^: proc Vn(in nat(n);out nat(n!))) 



D.3 Acker mann function 

Here follows the equations defining a version of the Ackermann function (from [49]): 

(1) a(0,n) = s(n) 

(2) a(s(z),0) = s(s(0)) 

(3) a{z,a{s{z),u)) = a{s{z),s{u)) 



D.3.1 Ackermann function in FD 

Here follows an annotated version of the proof given in [49]. Let Vg be the derivation: 

0:nat(0) 

5(0):nat(s(0)) /: Vn(nat(n) nat(a(z, n))) A:: nat(a(s(^), u)) 

g(^(0)):nat(s(s(0))) (/ fc): nat(a(z, a(s(z), t.))) ~ 

y:nat{n) S{S{0)):nat{a{s{z),0)) ^ ' {f k): nat{a{s{z),s{u))) 

rec{y, S{S{0)), Xj.Xk.{f fc)): nat(a(s(z), n)) 
Xy.rec{y, S{S{0)), Xj.Xk.{f fc)): Vn(nat(n) ^ nat(a(s(^), n))) 
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Then: 

t/:nat(s(n)) 
y: nat(a(0, n)) 
^(y):nat(a(0,n)) 
a::nat(m) Ay.S'(2;): Vn(nat(n) ^ nat(a(0, n))) Vs 

rec{x, Xy.S{y), M.Xf .\y.rec{y , S{S{0)), Xj .\k.{f fc))): Vn(nat(n) ^ nat(a(m, n))) 
Aa;.rec(a;, Xy.S{y), Xi.Xf.Xy.rec{y, S{S{0)), Xj.Xk.{f fc))): Vm(nat(m) Vn(nat(n) =>nat(a(m, n)))) 



D.4 Typing derivations for shift and reset in ID'^ 



D.4.1 Typing derivation for reset 



proc(in p;out r)mk{ 
k:{ 

est m = mk; 

mk := proc(in r; out z){ 
jump(fc, r,m)2; 

var y; 

pi; y)mk; 

jump(mfc,y)r,mfe; 



— [p: proc(in -la; out /3, -^P), mk': -■7)[r: T, mk: -17] 
(fc: cont(a, -'7))[r: T, mk: -17] 
(to: -17) 

— (r: a)[z: T] 

I [z--^ 
[mk: -la] 

[y:/3,m/c:-/3] 
[r: a, mfc: -17] 
[r: a, mfc: -17] 
proc(in proc(in -la; out /3, -1/3), -17; out a, -17) 



D.4. 2 Typing derivation for shift 



proc(in p;out r)mk{ 
k:{ 

proc q{ir\ u;out r)mk{ 

reset (proc (out z)mk{ 
jump(fc,i;,mA;)^,„fc; 

, mk •) 

var y; 

pW, y)mk\ 

jump(mfc,y)r,mfe; 



}r, 



mk 



{p: proc(in proc(in a, -i/S; out 7, ^S; out e, -^e)) 
(m/c': -1(5) [r: T, mfc: -1(5] 

— (fc: -'(a, ~'7))[»': T, mA;: -^S] 

— (v: a, mk': -'/3)[r: T, mk: -i^] 

I 

I — {mk':-ij)[z:T,mk:-ij] 
I I [i;: ry, mfc: -ir/] 
I proc(in ^7; out r/, -iry) 
I [r: j,mk:-'(3] 
(q: proc(in a, -1/3; out 7, -'0)) 

[y:T] 

[y: e, mA;: -le] 
[r: a, mfc: -17] 
r: a, mfc: -17] 
proc(in proc(in proc(in a, -1/3; out 7, -i/?), -1(5; 
out e, -le), -1^; 
out a, -17) 
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Appendix E Shift and reset in state-passing style 



signature CONT = sig 
type void 

type 'o if = 'a — >^ void 

val callcc: ('a A' — > 'a) — > 'a 
val throw: 'a — > 'a — > '6 

end 

functor ShiftReset{Cont: CONT) = struct 
open Cont 

val reset: {'a K ^ 'c * 'c K) * 'd K ^ 'a * 'd K = 
fn {p, mk') => 
let 

val {r,mk) = ((), mfc') 
val {r',mk') = {r,mk) 
val (r, rnA;) = 
callcc (fn k => 
let 

val (r, mfc) = (r', mfc') 

val m = mk 

val toA; = fn r =^> 

let val z = throw k (r, m) 
in z end 
val(y,mA;) = p{mk) 
val (r, mk) = throw mk y 
in (r, mfc) end) 
in (r, mfc) end 

val sW/«: (('a * '6 ^ 'c * '6 /T) * if ^- 'e * 'e if) * ^- 'a * 'c /f = 

fn (p, mfc') 
let 

val [r,mk) — {{),mk') 
val (r',mfc') = (r,mfc) 
val (r, mfc) = 
callcc (fn k 
let 

val (r, mfc) = (r', mfc') 
val q = fn {v, mk) => 

let val (r, mfc) = 

resei (fn mk => 

let val {z, mk) = throw k {v, mk) 
in (z, mk) end, mk) 

in (r, m/;) end 
val{y,mk) = p{q,mk) 
val (r, mfc) = throw mfc y 
in (r, mfc) end) 
in (r, mfc) end 

end 
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